Text

NUREG 1178 - Vital Equipment /Area Guidelines Study: Vital Area Committee Report
	ML19317E685
Person / Time
Issue date:	02/28/1988
From:	; Office of Nuclear Reactor Regulation
To:	;
	Purdy G 301.287.3629
References
	NUREG--178
	Download: ML19317E685 (94)
	v • d • e

NUREG-? 178 Vital Equipment /Area Guidelines Study: Vital Area Committee Report Final Report Manuscript Completed: March 1986 Date Published: February 1988 Offic of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555

ABSTRACT A study was conducted by the staff t o (1) re-evaluate the guidelines and #bases used t o determine what are the v i t a l equipment and areas t o be protected against radiological sabotage i n nuclear power plants and ( 2 ) t o recommend revised guidance.

On the basis of t h i s study, the s t a f f has recommended a revised v i t a l equipment/area protection phi losophy: t o protect as v i t a l the reactor coolant pressure boundary and one t r a i n o f equipment that would provide the capability t o achieve and maintain hot shutdown.

To implement t h i s overall protection philosophy, the staff also hias recommended new analysis assumptions o r guidelines t o i d e n t i f y the specific equiipment and area!; i n each plant t h a t require protec-t i o n as " v i t a l ".

NUREG-1178 iii

CONTENTS Page

ABSTRACT................................................................

i i i

FOREWORD................................................................

v i i EXECUTIVE

SUMMARY

i x

MEMORANDUM TRANSMITTING VITAL AREA COMMITTEE FINAL REPORT.............. x i 1.

INTRODUCTION.......................................................

1-1 2.

OBJECTIVES.........................................................

2-1 3.

BACKGROUND OF LICENSING PRACTICES FOR PHYSICAL PROTECTION OF POWER REACTORS AGAINST SABOTAGE....................................

3-1 4.

BASIC STUDY PREMISES...............................................

4-1 5.

SCOPE AND METHODOLOGY..............................................

5-1 6.

STUDY RESULTS......................................................

6-1 6.1 Proposed V i t a l Equipment/Area Protlection Philosophy and Analysis Assumptioins..........................................

6-1 6.2 Impact on Licensed Plants......................................

6-17 7.

RECOMMENDATION......................................................

7-1 APPENDICES A

ED0 Memorandum o f May 1. 1985 Establish.ing the V i t a l Equipment/Area Guidelines Study....................................

A-1 B

Review Guideline 17 and Regulatory Guide 1.29.......................

B-1 C

Action Plan Memorandum o f July 1. 1985................................

C - 1 D

Summary OX Briefings t o V i t a l Area Comm'ittee........................

D - 1 E

Current LANL V i t a l Equipment/Areil Analysis Assumptions............. E-1

These sections were not included i n QAC study transmitted by March 5. 1986 Memorandum. but are being added t o that Memorandum i n the present pub1 ication.

NUREG-1178 V

CONTENTS (Continued)

APPENDICES (Continued)

Page

F (1) Disposition of Comments Received on the Draft Vital Equipment/Area Guidelines Study and (2) Comments Received on the Draft VAC Report......................

F-1

G Implementation Considerations for Revised Vital Equipment/Area Guidelines..........................................

G-1

H Proposed Generic Letter of Transmittal for Final VAC Report........ H-1

Appendices F, G, and H were not included in VAC study transmitted by March 5, 1986 Memorandum, but were Enclosures 2, 3, and 4, respectively, to that Memorandum.

NUREG-1178 v i

FOREWORD On May 1, 1985, the Executive! Director f o r Operations directed the s t a f f t o i n i t i a t e a study t o re-evaluate the existing guidelines and bases used t o determine what are the v i t a l equipment and aveas t o be protected against radiological sabotage i n nuclear power plants and t o icecommend revised guidance as necessary.

This report documents the study and i t s results.

A V i t a l Area Committee was established t o conduct the study.

V i t a l Area Committee -

Frank J. M i rag1 i a, Chai man IDirector, Division o f Pressurized Water O f f i c e o f Nucl ear Reactor Regul a t i on Reactor Licensing43 Robert F. Eurnett, Member Ilirector, Division of Safeguards Office o f Nuclear Material Safety and Safeguards Frank P. Gillespie, Member Acting Director, Division o f Accident Analysis Office of Nuclear Regulatory Research James G. Partlow, Member Director, Division of Inspection Programs Office o f Inspection and Enforcement NUREG-1178 v i i

EXECUTIVE

SUMMARY

This report presents the results o f a study (1) t o re-evaluate the guide-l i n e s and bases used t o determine what are the v i t a l equipment and areas t o be protected i n nuclear power plants and (2) t o recommend revised uidance.

The study wi, established by the Executive Director f o r Operations 9 EDO) on May 1, 1985, t address questions that had been raised about the v a l i d i t y and consistency of past and current c r i t e r i a f o r i d e n t i f y i n g equipment t h a t must be protected against radiological sabotage,, and t o consider recent research on t h i s subject.

The ED0 designated two s t a f f groups t o carry out the study:

Committee (VAC) and a Management Policy Review Group (MPRG).

the study, while the MPRG provided broad p o l i c y direct-ion and guidance t o the VAC and approved i t s study plans and products.

J. Miraglia, NRR; i t s members included Robert F. Burnett, NMSS; James G.

Partlow, IE; and Frank P. Gillespie, RES.

Stello, DEDROGR; Harold R. Denton, NRR; and John 6. Davis, NMSS.

a V i t a l Area The VAC conducted The VAC was chaired by Frank:

The! MPRG consisted o f Victor On the basis of the study, the VAC has recommended a revised v i t a l equipment/

area protection philosophy: t o protect as v i t a l the reactor coolant pressure boundary and one t r a i n of equiipment 0 - with i t s associated piping, wzrter sources, power supplies, and instrumentation -- t h a t provide the c a p a b i l i t y t o achieve and maintain hot shutdown.

To implement t h i s overall protection philosophy, the VAC also has recommended revised anal.ysis assumptions o r guide-lines, t o be applied on. a case-by-case basis, t o i d e n t i f y the specffic equipment and areas i n each plant t h a t require protection as " v i t a l ".

These analysis assumptions are as follows:

For ourposes of protection against radiological sabotage, the primary c o o t i n t pressure boundary consists o f the reactor vessel and reactor coolant piping up t o and including a single, protected, normally closed i s o l a t i o n valve o r protected valve capable o f closure i n interfacing systems.

Any transient o r event t h a t causes significant core damage w i l l r e s u l t i n an attendant 10 CFR 100 release.

One t r a i n of equipment (with the associated piping, water sources, power supplies, controls, and instrumentation) that provides the capability t o perform the functions ( r e a c t i v i t y control, decay heat removal, and process monitoring) t h a t are necessary t o achieve and maintain hot shutdown for a minimum o f 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from the time o f reactor t r i p should be protected as v i t a l.

coolant makeup system and associated support equipment necessary t o achieve t h i s goal should be protected as v i t a l.

I n addition, the major components o f the reactor NUREG-1178 i r:

( 4 ) The control room and any remote locations from :which v i t a l equipment can be controlled o r disabled (such as remote shutdown panels, motor control centers, c i r c u i t breakers, o r local control stations) should be protected as v i t a l areas.

(5)

Only the power mode o f reactor operation and hot standby ( f o r PWRs) need be considered as long as a l l equipment designated as v i t a l for power operation i s m i n t a i n e d as v i t a l i n other modes.

(6)

O f f - s i t e power i s unavailable.

(7)

Random failures do not occur simultaneously w i t h an act of radiological sabotage.

o f equipment during maintenance.

systems normally protected as v i t a l are inoperable f o r any period o f time, appropriate compensatory measures (such as stationing guards a t alternate locations) must be taken t o ensure t h a t the capability t o reach hot shutdown i s maintained.

However, the saboteur can take advantage o f the u n a v a i l a b i l i t y Thus, whenever any components o r

( 8 ) Breaks i n m u l t i p l e main steam l i n e s t h a t cannot be isolated lead t o 10 CFR 100 releases.

(9) Cable runs i n trays and conduit need not be protected as v i t a l unless cables necessary f o r safe shutdown c a p a b i l i t y are individually i d e n t i f f a b l e and the i d e n t i f i c a t i o n i s reasonably accessible.

o r junctions and areas such as cable spreading rooms, through which large numbers o f cables pass, must be protected.

However, cable terminals (10) Saboteurs may use explosives i n amounts t h a t they can carry, (11) No c r e d i t i s g i en f o r equipment not located i n v i t a l areas.

(12) Following the s t a r t o f a refueling outage, the spent fuel pool should be protected as v i t a l long enough t o ensure t h a t sabotage t o the pool cannot r e s u l t i n a 10 CFR 100 release.

(13) The backup supporting power supply of the Central Alarm Station (CAS) i s essential for continuous operation of CAS i n the event o f loss o f normal power.

The VAC believes that the application o f the recommended protection philosophy, with i t s implementing analysis assumptions, w i l l contribute t o the overall program designed t o provide a high degree of assurance against radiological sabotage.

NUREG-1178 X

MEMORANDUM TRANSMITTING VITAL ARE:A COMMITlEE FINAL REPORT On March 5, 1986, the Chairman o f the V i t a l Area Committee (VAC) sent a memo-randum (see next page) notifying the recipients that the VAC had completed i t s study e f f o r t and was enclosing i t s f i n a l report.

Tha.t report, i t s appendices A through E, and background material (appendices F, G, and H) that accompanied the issuance o f March 5, 1986, are now being issued as NUREG-1178.

The March 5th memorandum cites two references:

(1) Memorandum from William J. Dircks, "Vital Equipment/Area Guidelines Study," dated may 1, 19,65, and (2)

Memorandum from Frank J. Miraglia, " V i t, a l Equipment/Area Guidelines Study These are reproduced here as appendices A and C, respectively.

Action Plan," dated Jul:y 1, 1985.

The March 5 t h memorandum also r e f e r s t o "Enc'losure 1" (the t e x t of t h i s report and appendices A through E),

"Enclosuire 2" (Appendix I:),

and "Enclosure 3" (Appendix G).

Appendix H contains the proposed genwic l e t t e r o f transmittal f o r the f i n a l VAC report; this was designated as Enclosure 4 t o the March 5th memorandum.

NUREG-1178 x i

' ****a UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, 0. C. 20555 March 5, 1986 MEMORANDUM FOR:

Victor !Stel lo, Jr.

Acting IExecut i ve Director for Operations Harold FI. Denton, Director Office af Nuclear Reactor Regulation John G. Davis, Diirector Office of Nuclear Materlal Safety and Safeguards FROM:

Frank J. Miraglia, Chairman Vi tal Area Commi t.tee

SUBJECT:

VITAL AREA COMMITTEE FINAL REPOR'I'

References:

(1) Memorandlum from William J. Dircks, "Vital Equipment/

Area Guildelines Study," dated May 1, 1985 (2) Memorandum from Frank J. Miraglia, "Vital Equipment/

Area Guidelines Study Action P l a n, dated July 1, 1985 In accordance w i t h references (1) and ( 2 ), the Vital Area Committee (VAC) has completed its study effort.

review and action as Enc1osure 1.

The Committee's final report is provided for.,mr The VAC has considered all the comments received from the cognizant Headquarters Offices and the Regions on the draft report.

and discusses the Committee's disposition o f them. provides those comments discusses the Conrmi ttee's considerations 'and recommendations con-cerning implementation o f the revised v i tal equipment/area guidelines. is a proposed generic letter for transmit,ting the VAC report t o i ndu s try.

Finally, If you agree w i t h the contents of the report and the supporting documents pro-vided herein, we recommend t h a t you consider providing Enclosures 1 and 2 t o the cognizant Headquarters Offices and the Regions f o r their information prior to issuing the report publicly.

NUREG-1178 xi i i We are available t o meet w i t h the MPRG to discuss the report or the other enclo-sures to this memorandum.

Enclosures :

As stated c c :

R. Burnett J. Partlow F. Gillespie NUREG-1178 x i v

1.

INTRODUCTION Definitions o f v i t a l equiprnent/areas have been evolving since 1978.

The topic has been addressed i n several studies done by the staff of the Nuclear Regulatory Commission (NRC),

as well as i n NRC-sponsored research programs.

These studies and recent s t a f f evaluations o f physical security plans have raised questions about the valildity and consistency of the assumptions and c r i t e r i a being used t o determine v i t a l equipment and areas.

Operations (EDO) established a committee (1) t o re-evaluate the Guidelines and bases used t o determine the equipment and areas t o be protected as v i t a l and (2) t o develop and recommend revlsed assumptions and guidance.

For t h i s reason, or) May 1, 1985, tlhe Executive Director for The ED0 designated two s t a f f groups t o carry out the study:

A V i t a l Area Committee (VAC) and a Management Policy Review Group (MPRG).

The VAC was given r e s p o n s i b i l i t y for actual conduct o f the study, while the MPRG was t o provide broad p o l i c y d i r e c t i o n and guidance t o the VAC and t o approre the study plans and products.

The WAC was chaired hy Frank J. Miraglia, NRR; i t s members included Robert F. Burneti:, NMSS; James 6. Partlow, I; and Frank P. Gillespie, RES.

DEDROGR; Harold R. Denton, NRR; and John G. Davis, NMSS. A copy of the EO0 memorandum establishing the study i s iricluded as Appendix A t o t h i s report.

The MPRG was composed o f Victor Stello, Section 2 below gives the objectives o f the study.

Section 3 traces the evolution o f v i t a l equipment-related regulations, guidance, and practice.

Section 4 gives the j u s t i f i c a t i o n for the assumptions used by the VAC i n evaluating the specific v i t a l equipment, assumptions,, Section 5 discusses the scope and methodology o f t h e study, and the study results are detailed i n Section 6.

additional background material.

Recommendations are given i n Section 7.

The appendices provide NUREG-1178 1-:I

2.

OBJECTIVES The objectives o f the study were (1) t o perform a structured evaluation o f e x i s t i n g and proposed v i t a l e,quipment/area assumptions, c r i t e r i a, and guidance and (2) t o develop a compr hensive and consistent set of recommended assumptions f o r dete,rr ning equipment and areas t o be designated as v i t a l i n nuclear power plants.

Bcth the assumptions and the rationale supporting them werc evaluated i n d i v i d u a l l y and c o l l e c t i v e l y for complete-ness and technical adequacy.

Based on t h i s evaluation, the pr-incipal objective o f the V i t a l Area Comi t t e e was t o develop and recommend revised assumptions and guidance, w i t h rationale and j u s t i f i c a t i o n f o r the revisions.

The assumptions and guidance were t o s a t i s f y the following c r i t e r i a :

( I ) Consider a l l conditions o f normal operation, anticipated operational occurrences, transients, anal accidents o f the types presently con-sidered i n the design-basis analysis o f nuclear power plants; consider outage conditions and a c t i v i t i e s tcl the extent t h a t loss o f oper-ational functions and c a p a b i l i t i e s during outages impacts v i t a l equipment and areas.

(2)

( 3 )

Be r e a d i l y and uniformly applicable by safet:y/safeguards analysts i n i d e n t i f y i n g v i t a l elquipment and areas on a case-by-case basis.

Have the concurrencle of a l l cognizant NRC Offices.

NUREG-1178 it-1

3.

BACKGROUND OF LICENSING PRACTICES FOR PHYSICAL PROTECTION OF POWER REACTORS AGAINST SABOTAGE Sabotage protection f o r power reactors was f i r s t i3ddressed i n a February 1967 Commission Order d i r e c t i n g Florida Power ind Light Company t o address industrial sabotage protection a t t b Turkey Point plant.

I n October 1971, the Commission pub1 i shed guidance f o r 1 icensees i n Safety Guide 17, "Protection o f Nuclear Power Plants Aga-inst Industrial Sabotage."

This i n i t i a l security program was s i g n i f i c a n t l y upgraded i n March 1977,,

w i t h the publication of 10 CFR 73.55, which applied t o approximately 50 operating reactors and about 25 applications f o r operating licenses.

I n 1977-78, i n addition t o the several Regulatory Guides already i n existence, the NRC s t a f f developed 23 review guidelines (Branch Technical Positions) and 3 NUREG reports f o r use as guidance f o r power reactor applicants/l icensees and as acceptance c r i t e r i a by reviewers.

One such document, NUREG-0416, was a workbook that gave stelp-by-step procedures for licensees/applicants t o show how they proposed, t o meet each regulatory requirement. A t the conclusion o f each NRC s t a f f review, the reviewer prepared a Security Plan Evaluation Report.

A1 1 approved plans covered a l l the functional requirements of 10 CFR 73.55(b) through ( h ).

However, implementation of the functional requirements varied.

Review Guideline 17, "0ef.inition o f V i t a l Areas,"

published i n January 1978, stated that essentiillly a l l safety-related equipment must be con-sidered v i t a l, and t h a t the systems l i s t e d i n Regulatory Guide 1.29, "Seismic Design Classification," should be considered v i t a l.

Applicants/

licensees had t o provide is sound technical basis f o r any deviation from t h i s l i s t.

Review Guideline 1:7 also suggested tha v i t a l qreas be separated i n t o two categories: Type I (successful sabotage could be accomplished by sabotage a c t i v i t i e s w i t h i n single isrea) and Type I 1 (successful sabotage could be accomplished only by acts o f sabotage i n m u l t i p l e areas, such as damage t o various items o f accident m i t i g a t i o n equipment).

Because there was no regulatory basis f o r requairing an additio,nal level o f protection f o r Type I areas, no oractical use was made o f t h i s d i s t i n c t i o n.

A copy o f Review Guideline 17 and Kegulatory Guide 1.29 are included as Appendix 6 t o t h i s report.

I n 1978, NRC contracted w i t h the Los Alamlos National Laboratory (LANL),to provide a s i te-specific v-i t a l equipment/area analysis for each reactor.

This analysis was t o be used by the NRC staff t o validate the v i t a l area i d e n t i f i c a t i o n provided by licensees i n t h e i r approved plans.

During the i n i t i a l implementation phase o f 10 CFR 73.55, eight separate teams reviewed licensees' v i t a l area i d e n t i f i c a t i o n and security plans.

As a NUREG-1178 3-1

r e s u l t of some uncertainty as t o what constituted v i t a l equipment, review r e s u l t s varied, and the s t a f f recognized t h a t the i n i t i a l review findings might require revision.

This possible need for revision was documented i n the s t a f f ' s safety evaluation reports and, i n some cases, i n license conditions, by the following statement o r an equivalent: "The i d e n t i f i c a t i o n of v i t a l areas and measures t o control access t o these 2, eas, as described i n the plan, may be subject t o amendments i n the future."

By the end of 1979, the s t a f f had physical security plans f o r a l l operating power reactors, and, t o a great extent, these plans had been implemented.

However, a t many sites, licensees were using compensatory measures f o r parts of the system t h a t had not been i n s t a l l e d o r t h a t were not functioning properly.

The compliance of licensees o f operating plants w i t h Review Guideline 17 can be summarized as follows:

(1) Review Guideline 17 c a l l s for a l l safety-related equipment t o be protected as v i t a l.

( 2 ) The f i r s t u n i t s o f any plants licensed since 1980 s a t i s f y t h i s guidance.

(3)

About two-thirds of the physical security plans approved by the NRC staff probably do not completely s a t i s f y Review Guideline 17 but meet i t t o varying degrees.

During i t s review of Duke Power Company's proposed v i t a l area program f o r the Catawba plant, the staff used LANL's modelSng assumptions as a technical basis for evaluating the adequacy o f protecting the p l a n t ' s standby shutdown f a c i l i t y, which was an a1 ternative t o protecting certain other safety-related equipment.

The staff had previously approved t h i s standby shutdown f a c i l i t y protection strategy f o r the McGuire and Oconee plants.

This strategy c a l l s for a hardened f a c i l i t y with separate ac and dc power, reactor controls, and cabling. It r e l i e s on the normal a u x i l i a r y feedwater system f o r emergency heat removal and a charging pump f o r primary water make-up.

I n the course o f t h i s review, a number of questiom surfaced concerning LANL's modeling assumptions.

To address these concerns, the VAC was established t o review the v i t a l area i d e n t i f i c a t i o n process i n general, and the modeling assumptions s p e c i f i c a l l y.

NUREG-1178 3-2

4.

BASIC STUDY PREMISES I

The V i t a l Area Committee adopted three premises f o r i t s studv:

(1) To protect the health and safety o f the public from acts o f ra*'io-logical sabotage, the NRC requires, physical: protection systerr f o r nuclear power plants.

The design basis threat f o r radiological sabotage, defined i n 10 CFR 73.l(a),

based on an extensive study o f known adversaria? characteristics, provides; the bases f o r the design of security systems that w i l l provide an adequate and prudent level of security a t nuclear f a c i l i t i e s.

Conformance with the requirements of 10 CFR 73.55(b)-(h) provides high assurance of protection against the design basis threat, recognizing that the Commission i s considering improved access control relevant t o 10 CFR 73.55(d).

10 CFR 73.55 requires each licensee t o have the capability o f meeting the specific detailed requirements of paragraphs (b) through (h).

The Statement of Considerations for the r u l e states: "Compliance with the detailed requirements should essentially satisfy the general performance requirements s t a t e t l ' i n the r u l e i n 573.55(a)"

(42 FR 10838, February 24, 1977).

conjunction with other rulemaking proceedings essentially repeat t h i s conclusion (42 FR 11201, February 28, 1979 and 44 FR 47759, August 15, 1979).

t o propose alternatives t o paragraphs (b) through ( h ) that would be equivalent i n meeting the performance objective, none have done so.

Successful radiological sabotage results.in doses i n excess of :hose defined i n 10 CFR :LOO.

The 10 CFR 100 c r i t ' e r i a are intended t o serve as a benchmark f o r the analysis of major events, that i s,

those events t h a t pose a potential health hazard (a s i g n i f i c a n t release o f r a d i o a c t i v i t y as a r e s u l t of a major accident o r radio-logical sabotage).

i s considered vulnerable t o non-radiological sabotage.

This study does not address non-radiological isabotage.

(2)

Other Commission notices of public record issued i n Although the r u l e allows licensees and applicants (3)

Eauipment not, designated and protected as v i t a l NUREG-1178 4-1

5.

SCOPE AND METHODOLOGY The study was carried out by the members o f the V i t a l Area Committee (VAC) with supporting s t a f f assistance from NRR, NMSS, RES, and IE.

Throughout the study, the VAC met: p e r i o d i c a l l y wlth the Management Policy Review Group (MPRG) f o r guidance and approval.

The scope of the study included the following:

(1) a review of a l l current regulations, guidanc:e, definitions, assump-tions, and c r i t e r i a related t o determining v i t a l equipment and areas (2) a determination o i n (1) t o various has been and i s w and areas

( 3 ) i d e n t i f i c a t i o n o f o r other problems the present status o f the application of the items v,intages o f plants t o establish what s t a f f practice t h respect t o approving designated v i t a l equipment any deficiencies, ambiguities, inconsistencies, i n the present relgulatory approach (4) a review and evaluation o f recent and current staff proposals, proposed rules, etc.,

as they r e l a t e t o v i t a l equipment and areas, such as protection o f e!vent-mitigating c a p a b i l i t i e s and t h e i r support f a c i l i t i e s (e.gt.,

water source!;,

pumps, switchgear, and cable runs) constraints on the vital1 island concept and compartmental-i t a t i o n requirements determination o f an acceptable final state (hot o r cold shutdown),

the required duration of t h a t state, reliance on outside assistance, and consideration of normal equipment repair capabi 1 i t i e s provisions f o r compensating for v i t a l equipment out of service for maintenance c r e d i t f o r plant-specific features and capabi 1 i t i e s, such as feed-and-bl eed relevant information, data, and recommendations from recent s t a f f and contractor studies, a 6 well as from operational experience relevant t o v i t a l equipment and areas methods used t o protect c r i t i c a l equipment f o r other purposes, such as f i r e protection..

NUREG-1178 5-1

The VAC study and i t s r e s u l t s address l i g h t water reactors only.

types o f reactors w i l l be considered on a case-specific basis, as appropriate.

The VAC conducted the study i n accordance with an action plan that had been approved by the MPRG.

(A copy o f the approved action plan i s included as Appendix C t o t h i s report.)

The VAC independently evaluated a l l relevant documentation. This review was augmented by 13 briefings by s t a f f members and contractors on 16 study-related areas.

are summarized i n Appendix D t o t h i s report.)

The subjects of the briefings and organizations presenting them were as follows:

Other (The briefings Current practices for v i t a l equipment area reviews - NMSS V i t a l equipment and v i t a l area analyses - LANL V i t a l area c r i t e r i a f o r the Regulatory Effectiveness Review Program The Safeguards Insider Rules - NMSS V i t a l Equipment Determination Research Study - RES/LANL Current definitions and assumptions on v i t a l areas - NRR 10 CFR 50, Appendix R, F i r e Protection - NRR Generic Issue A-29, "Nuclear Power Plant Design f o r the Reduction o f Vulnerability t o Sabotage - NRR V i t a l area inspection program - I E V i t a l area inspection program:

implementation and c r i t i q u e o f current assumptions and suggested changes - Regions I and I1 US1 A-45, "Shutdown Decay Heat Removal Requirements" - NRR Precursor Studies o f Risk Analysis o f Several Known Safeguards Events - RES Nuclear Power P l a n t Damage Control Measures - RES Equipment Requiring Protection Under Various Condition Assumptions -

NMSS Selected V i t a l Equipment Assumptions - LANL US1 A-44, "Station Blackout" - NRR

- NMSS NUREG-1178 5-2

6.

STUOY RESULTS 6.1 Proposed V i t a l Equipment;/Area Protection Philosophy and Analysis Assumptions On the basis o f i t s review and evaluation o f relevant background informa-tion, data, and operational experience, the VAC developed an overall v i t a l equipment/area protection philosophy o r goal: t o protect as v i t a l the reactor coolant pressure boundary and one t r a i n o f equipment --with the associated piping, wdter sources, power supplies, controls, and instrumentation -- t h a t provide the capa,bility t o achieve and maintain hot shutdown.

Implementation of t h i s philosophy would protect a s e t o f safety-related components rather than protecting a l l safety-related components.

It i s derived from and i s consistent with Appendix A t o 10 CFR 100 and Appendix R t o 10 CFR 50.

Appendix A t o 10 CFR 100 defines those structures, systems and components t o be protected from the effects of earthquakes; the s t a f f uses t h i s t o i d e n t i f y equipment t o be protected i n design basis events.

The proposed philosophy also builds on the e x i s t i n g defense-in-depth safeguards approach, which consists o f a protected boundary, determining specific equipment and areas t o be protected as v i t a l, access authorization (minimizing the number o f people with access t o v i t a l eqluipment), and an assumed shutdown capabi 1 i ty.

Appendix R t o 10 CFR 50 addresses f i r e protection.

In summary, protecting a!; v i t a l the reactor coolant pressure boundary and one t r a i n of equipment (with associated piping, w'ater sources, power supplies, and instrumentation) t h a t prov,ide the c'apability t o achieve and maintain hot shutdown represents an approach t o slafeguards protection t h a t i s consistent both with the existing regulations f o r ensuring safety under design basis earthquake and f i r e conditions and w i t h the current approach t o safeguards pvotection.

Application o f t h i s philosophy w i l l contribute t o the overall1 program designed t o pro,vide a high degree o f assurance against radiological sabotage, After developing t h i s protection philosophy, the 'VAC re-examined, individ-ual l y and c o l l e c t i v e l y, 1!6 v i t a l equipment/area assumptions currently used by LANL, and t h e i r bases.

These assumptions provide the principal guidance used by safeguards analysts t o.identify equipment and areas t h a t require protection against successful radiological sabotage.

(The LANL assumptions are l i s t e d i n Appendix E.)

This reexamination was based on the three premise!; defined i n Section 4 above.

I n brief, they are (1) The design-basis threat o f radiological sabotage i s defined i n 10 CFR 73.l(a).

NUREG-1178 6-1

( 2 )

Conformance w i t h the requirements of 10 CFR 73.55(b)-(h) provides high assurance o f protection against the design-basis threat.

( 3 ) Successful radiological sabotage r e s u l t s i n doses i n excess o f those defined i n 10 CFR 100.

A f t e r re-evaluating the current analysis assumptions, i n l i g h t o f the VAC protection philosophy and these three assumptions, the VAC developed the revised set o f assumptions discussed below.

Application a f these assumptions might r e s u l t i n designation of v i t a l equipment d i f f e r e n t from t h a t recommended i n NUREG-0992, "Report of the Committee t o Review Safeguards Requirements a t Power Reactors," dated May 1983, which was t h a t several specific p l a n t areas o r equipment items be protected as independent v i t a l islands.

6.1.1 Assumption 1 For protection against radiological sabotage, the primary coolant pressure baundary consists of the reactor vessel and reactor coolant piping up t o and including a single, protected, normally-closed i s o l a t i o n valve o r protected valve capable of closure i n interfacing systems.

Rationale Protection o f the primary coolant pressure boundary, as defined, ensures that a saboteur cannot cause a loss-of-coolant accident (LOCA).

Thus, t h i s protection precludes the need t o protect LOCA-m i t i g a t i n g equipment.

Protection of a single valve i s an adequate b a r r i e r for t h i s purpose.

i n an interfacing system i s acceptable i f t h a t action can be taken i n time t o prevent an unrecoverable condition.

of a protected valve need not be protected if t h e i r f a i l u r e w i l l n o t r e s u l t i n a LOCA.

Manual action t o close a protected valve Any valves upstream 6.1.2 Assumption 2 Any transient o r event that causes significant core damage w i l l r e s u l t i n an attendant 10 CFR 100 release.

Rationale This i s a conservative approach t h a t assumes that, except f o r a temporary loss o f water and/or heat removal capability, the core must be kept covered w i t h water and decay heat removal capability must be maintained t o preclude core melt.

I f these conditions are n o t met, core melt i s assumed.

No c r e d i t i s given f o r the protec-t i v e o r m i t i g a t i n g capabilities of the pressure vessel o r the con-tainment.

excess of those defined i n 10 CFR 100.

Thus, C0i-e melting i s assumed t o r e s u l t i n doses i n NUREG-1178 6-2

6.1.3 Assumption 3 One train of equipment ( w i t h the associated piping, waiter sources, power supplies, controls, and instrumentation) that provides the capabi I i ty t o perform the functions (reactivity control, decay heat removal, and process monitoring) t h a t are necessary t o achieve and maintain hot shutdown f o r a minimum of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from the time of reactor trip should be protected as vital.

components of the reactor coolant makeup system and associated support equipment necessary t o achieve this goal should,be protected as v i t a l.

I n addition, the major Ration ale Reactivity control i s necessary to achieve and maintain subcritical reactivity conditions i n the reactor. Decay heat removal is necessary t o remove decay heat generated i n the core during hot shutdown.

Pro-cess monitoring is necessary t o provide dire,ct readings of the process variables needed t o perform, control, and molnitor the reactivity con-trol and decay heat removal.

For those p l a n t s where an 8-hour hot shutdown capability w i t h o u t primary system makeup o r a1 ternate power souirces cannot be demon-strated, the major components o f those systems necessary t o support reactivity control, decay heat remowal, and process monitoring also must be protected as wital.

For example, an alternate power source, such as a diesel generator, might be? necessai-y t o provide power for process monitoring instruments and for other equipment required for achieving and maintaining hot shutdown. Primary makeup water might be necessary t o compensate for coolant leaked through the main reactor cool a n t pump seal s and/or for operation o f the power-operated re1 iief valves.

Examples o f equipment needed t o perform these functions include, but are not limited t o, the following:

NUREG-1178 6-3

reactivity control decay heat removal process monitoring reactor cool ant makeup and reactor coolant pump seal cooling support functions control rod scram components and systems (PWRs and BWRs) turbine-driven auxiliary feedwater pump, including control, water source (e.9., condensate storage tank), and main steam safety valves

( PWRs )

turbine-driven high pressure core injection (HPCI) pump, reactor core isolation cooling ( R C I C ) pump, isolation condenser, including auto s t a r t,

control, and safety-relief valves (BWRs) pressurizer pressure and level pressure and level, reactor coolant hot and cold leg temperature (PWRs )

steam generator reactor pressure and ievel, suppresston pooi temperature and level (BWRs) charging pump, fncluding water source and motor control center (PWRs) diesel generator, including switchgear, cooling, startup, and controls (PWRs and BWRs) battery (PWRs and BWRs) service water pump and motor control center (PWRs and BWRs) component cooling water pump and motor control center (PWRs) 6.1.4 Assumption 4 The control room and any remote locations from which v i t a l equipment can be control led o r disabled (such a s remote shutdown panels, motor control centers, c i r c u i t breakers, o r local control stations) should be protected as vital areas.

Rationale Because the equipment necessary to ensure hot shutdawn following a sabotage-initiated transient can be control led from either the control room or local areas, both must be protected a s vital.

NUREG-1178 6-4

6.1.5 Assumption 5 Only the power mode o f reactor operation and hot standby ( f o r PWRs) need be considered as long as a l l equipment designated as v i t a l f o r power operation i s mrintained as v i t a l i n other modes.

Rationale Equipment i d e n t i f i e d as v i t a l from an analysis o f the power o r hot standby modes of reactor operation a l s o encompasses that necessary t o protect against radiological sabotage i n (other modes.

Therefore, plant-specific analyses o f other modes are not necessary f o r v i t a l equipment determinat:ion.

Consideration was given t o a possible exception i n the cold shutdown mode, since the cold' shutdown decay heat removal (DHR) system, also referred t o as the residual heat removal (RHR) system, i s not required t o be protected as v i t a l f o r the power or hot standby modes. Because of the s i r e o f the decay heat. removal (DHR) system p i p i n diameter) and the capacity of the residual heat removal s RHR) system pump (5500 gpm), the DHR system could drain the reactor vessel t o hot leg level i n less than 11 minutes i n case o f a DHR LOCA o r uncontrolled containment spray.

W i thout i n j e z t i o n flow t o the pressure vessel, the water level i n the vessel1 would drop t o the top of core from the hot l e g level i n about 15 minutes, and t o the mid-point o f the corle i n about 36 minutes.

Therefore, the c a p a b i l i t y bf i s o l a t i n g a damaged DHR system from the primary coolant pressure boundary during the cold-shutdown mode i s required.

This capability would be ensured by \\protecting the primary coolant pressure boundary, which includes the f. i r s t i s o l a t i o n valve.

(16-inch Additionally, normal procedures routinely require more than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months t o bring a PWR t o cold shutdown a f t e r reactor scram.

After reactor shutdown, decay heat rapidly decreases and i s less than 0.5%

a t the end of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Thus, a f t e r 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months o f cold shutdown, less than 100 gpm o f injected water-is relquired t o remove the remaining decay heat.

This r e l a t i v e l y small flow o f water can be obtained fron; alternate water makeup sources - - sluch as the high-pressure i n j e c t i o n system or the charging system, which already i s protectpd.

Thus, the time when s i g n i f i c a n t fuel damage cain be r e a l i s t i c a l l y caused i s very 1 i m i ted.

NUREG-1178 6-5

Further support f o r t h i s assumption i s based on a recent NRC study that evaluated 130 t o t a l loss-of-DHR events i n U.S. PWRs between 1976 and 1983.

The durations of these events (before corrective actions were taken) ranged from less than 1 minute t o 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

because o f t i m e l y w r r e c t i v e actions taken by the operators, no serious damage resulted from any of these events.

However, 6.1.6 Assumption 6 Off-site power i s unavailable.

Ra t iona 1 e O f f - s i t e power i s transmitted by f a c i l i t i e s outside the areas pro-tected and controlled by the licensee.

Therefore, the licensee can-not protect against the external assault defined i n the design basis threat.

This assumption i s compatible with the basic premise that equipment not designated and protected as v i t a l i s vulnerable t o damage and i s not available.

6.1.7 Assumption 7 Random f a i l u r e s do not occur simultaneously with an act o f radiological sabotage.

o f equipment during maintenance.

normally protected as v i t a l are inoperable for any period o f time, appropriate compensatory measures (such as stationing guards a t a1 ternate locations) must be taken t o ensure the c a p a b i l i t y t o reach and maintain hot shutdown.

However, the saboteur can take advantage o f the u n a v a i l a b i l i t y Thus, whenever any components o r systems Rationale The likelihood o f a s i g n i f i c a n t random equipment f a i l u r e occurring simultaneously with a successful radiological sabotage a c t i s very small, probably i n the same order as the occurrence of an accident beyond the design basis.

Although a saboteur might wait f o r such an event before i n i t i a t i n g a sabotage act, this s i t u a t i o n would require the saboteur t o be i n a continuous state of t o t a l readiness for i n -

d e f i n i t e periods, which seems unlikely.

However, a planned maintenance outage i s usually o f s i g n i f i c a n t duration and a saboteur can readily learn o f the plans f o r such outages we71 i n advance of t h e i r occurrence, a1 lowing the saboteur time t o implement successful radiological sabo-tage.

Thus, radiological sabotage during unplanned equipment outages i s less 1 i kely than during planned maintenance outages.

NUREG-1178 6-6

6.1.8 Assumption 8 Breaks i n m u l t i p l e main steam l i n e s t h a t ciinnot be isolated lead t o 10 CFR 100 re1 eases.

Rational e The design-basis main steam l i n e break i s the unisolable double-ended rupture o f a single main steam lilne upstream o f the main steam l i n e i s o l a t i o n valves.

A licensees analysis of t h i s design-basis event must show t h a t the main steam l i n e break m i t i g a t i n g system$ can pre-vent core damage r e s u l t i n g from both the p o s i t i v e r e a c t i v i t y increase caused by the overcooling transient and the loss o f steam generator tube i n t e g r i t y. It i s conservatively assumed t h a t these m i t i g a t i n g systems cannot prevent core damage i f a m u l t i p l e main steam l i n e break beyond the desfgn basis were t o occur.

Therefore, three options are available t o licensees:

(1) protect a l l main steam lines, up t o and including the maim steam l i n e i s o l a t i o n valves, as v i t a l ; (2) protect a l l main steam lines, as i n (1) above, except the one covered by the design-basis main steam l i n e break, and protect as v i t a l the m i t i g a t i n g systems f o r t h a t line; o r (3) provide analyses demonstrating t h a t sabotage-induced m u l t i p l e steam l i n e breaks are acceptable and protect as v i t a l the required m i t i g a t i n g equipment and systems.

6.1.9 Assumption 9 Cable runs i n trays and conduit need not be protected as v i t a l unless cables necessary f o r safe shutdown c a p a b i l i t y w e individually i d e n t i f i a b l e and the i d e n t i f i c a t i o n i s reasonably accessible and areas such as cable spreading rooms, thirough which large numbers o f cables pass, must be protected.

However, cable terminals o r junctions Rational e Generally, i t i s not feasible f o r a sabotelur t o i d e n t i f y individual cables i n cable trays.

I n some very few i,nstances where individual cables i n trays and conduits are tagged o r labeled with coded identifications, such tags o r labels are not r e a d i l y accessible and significant effort: would be required t o trace the code t o the actual cable identity.

of specific individual cables i s considered t o be very d i f f i c u l t and unlikely.

However, f o r f a c i l i t i e s w i t h such i n d i v i d u a l l y i d e n t i f i e d cables, j u s t i f i c a t i o n w i l l be required f o r not protecting the cables as v i t a l.

Thus, even i n such cases, p o s i t i v e i d e n t i f i c a t i o n NUREG-1178 6-7

Most 1 icensees, however, have prepared documentation which i d e n t i f i e s cable routings and locations.

t o i d e n t i f y a specific cable among many i n a tray, but he could know t h a t a certain cable i s w i t h i n a s p e c i f i c tray.

Protecting a l l cable trays throughout t h e i r e n t i r e routings

i u l d be contrary t o the objective of minimizing access t o v i t a large portions of the p l a n t as v i t a l greatly increases the number o f personnel with access t o v i t a l areas.

The approach t h a t cable runs i n trays and conduit need not be protected requires the acceptance of some degree of cable vulnerability.

However, damage control czn compensate for the loss o f cable more r e a d i l y than i t can compensate for the loss of v i t a l equipment served by these cables.

Therefore, a saboteur might not be able equipment, because designating 6.1.10 Assumption 10 Saboteurs may use explosives i n amounts t h a t they can carry.

Ra tiona 1 e This assumption provides f o r consideration o f protecting, as v i t a l,

massive pieces o f equipment (reactor pressure vessel, water tanks) t h a t could otherwise not be damaged by individuals using conventional tools and thereby would not warra'nt protection as v i t a l equipment.

Determination o f which equipment needs t o be designated v i t a l i s insensitive t o the specific amount of explosives t h a t individuals can carry (see Assumption 11).

Implementation of the assumption t o determine which equipment needs t o be designated v i t a l does n o t require the analyst t o consider s p e c i f i c a l l y how much explosives can be used by the adversary.

The goal !as t o bound the problem by characterizing an amount t h a t could be carried, consistent with the design basis threat, and not require a vehicle.

6.1.11 Assumption 11 No c r e d i t i s given f o r equipment not located i n v i t a l areas.

Rational e Because some single p l a n t areas contain e i t h e r a common element, the major elements o f an essential system, o r elements of m u l t i p l e essential systems, and because a saboteur i s assumed t o have whatever knowledge i s required, once a saboteur enters such an area, there are no impediments t o the successful completion of the radiological sabo-tage action.

Therefore, i t i s assumed t h a t if a saboteur gets i n t o a single area containing several pieces of equipment, the saboteur can disable o r manipulate a l l o f the equipment i n that-area.

NUREG-1178 6-8

6.1.12 Assumption 12 Following the s t a r t o f a refueling outage, the spent fuel pool should be pro-tected as v i t a l long enough t o ensure t h a t sabotage t o the pool cannot r e s u l t i n a 10 CFR 100 release.

Rational e Protection o f the spent fuel pool f o r the specified period o f time immediately following refueling precludes damage t o the spent fuel t h a t would r e s u l t i n unacceptable releases,.

6.1.13 Assumption 13 The backup supporting power supply o f the Central Alarm Station (CAS) i s essential for continuous operation o f CAS i n the event o f loss o f normal Ipower.

Rational e The CAS i s designated a v i t a l area-by 10 CFR 73.55(e)(l).

I t s backup supporting power supply must be protected t o assure continuous CAS operation (1) t o provide timely indication of an unauthorized attempt t o enter a v i t a l area, (2) t o detect unauthorized penetration of the protected area, and (3) t o assure a means of communicating with the 1 oca1 1 aw enforcement agencies.

6.2 Generally, implementation o f the proposed v'i t a l equipment/ar a protection philosophy and analysis assuimptions would have a greater impact on f a c i l i t i e s licensed before 1980 than on those licensed since then.

The VAC estimates t h a t the licensees o f about one-third o f the operating U.S.

nuclear power reactors would not have t o protect any equipment beyond t h a t now protected.

Licensees o f the other two-thirds o f t h e U.S. operating reactors might be required t o classify additional equipment as v i t a l.

This equipment would range from a few items i n some plants t o many i n others.

Impact on Licensed P l a n t s -

NUREG-1178 6-9

7.

RECOMMENDATION The Vital Area Committee recommends that the proposed vi tal equipment/area protection philosophy and analysis assumptions presented in Section 6.1 o f this report be adopte!d and implemented.

requirements and assumptions of Review Guideline 17, issued in January 1978, should continue to be acceptable as an alternative to this revised guidance.

The Committee believes that these assumptions represent a comprehensive and consistent approach to determining equipment and areas to be designated as vital in nuclear power plants and that their applica-tion will contribute to the overall program designed to provide a high degree of assurance against radiological sabotage.

Howe,ver, satisfaction of tb NUREG-1178 7-1

APPENDIX A ElDO MEMORANDUM OF MAY 1, 1985 ESTABLISHING THE V I T A L EQUIPMENT/AREA GIJIDELINES STUDY NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMllSSlON WASHINGTON, 0.G 20555 MA, 0 1 B s MEMORANDUM FOR: Victor Stel lo, Deputy iExecutfve Director for Regional Operations & Generic Requirements Harold R. Denton, Director Office of Nuclear Reactor Regulation John 6. Davfs, Director Office o f Nuclear Material Safety & Safeguards Frank 3. Miraglia, Deputy Director Division o f Licensing, NRR Robert F. Bumett, Dfmctor Division of Safeguards NMSS James 6. Pcrtlou, Di rector Divisfon o f Inspection Program; Frank P e Gillespfe, Director Division of Risk Analysts & Operations, RES Executive Director for Operations FROM:

William 3. Dircks SU6 JECT:

VITAL EQUIPMENT/AREA GUIDELINES STUDY The vltal area definition process has been cvolvtng since I970 and has been addressed i n several studies. Recent evaluations of licensees' physical security plans and site vislts have raised questions about the valfdity o f some of the assumptjons and criteria used In the current vltal equipment/

a n a determination process.

In view of the uncertainty Involved wfth the vttal equipment/area guldelines, a need exlsts t o reevaluate the bases and guidelines used t o determine the equipment and afeas t o be protected as vltal. tharefore, I am establtshing a study effort t o respond t o thls need.

The participants, responsfbilities and nllestones are out1 incd broadly fn the.cnclos,ure, 'Charter, Membership and Action Plan for V i t a l Equipnent/Ana Guld-lines Study:

lhtt approach w i l l ensure coordinatlon and consistency and btinlg together expertise i n both the safety and safeguards perspectives.

NUREG-1178 A-1

the study should be completed and a fina7 mpzt uP:~swd w f t h i n about e f g h t months.

6bd) WJjm 1, o&@

Wi71fam 3. Diacks Executive Director for Operations

Enclosure:

Rs stated cc:

Thomas E. Murley, Administrator, Regfon I

3. Nelson Grace, Administrator, Region 11 James 6, Keppler, Adm4nfstrdtor. Region 111 Robert 0. Msrtin, Administrator, Region I V John E. Martin, Admfnistrator, Region V NUREG-1178 A-2

ENCLOSURE CHARTER, MEMBERSHIP AND ACTION PLAN FOR VITAL IEQUIPMENT,/AREA GUIDELINE3 STUDY

1.

I1.

Objective This study is intended t o cover the e n t i r e spectrum of NRC safeguards rules, gufdance, contractor data, etc., as they pertain t o vftal quipment/area rules, guidetines and assumptions.

A consistent, logical approach to identi-fyfng v i t a l equipment/areas for subsequent protection i s t o be developed.

consideration shatl be given to conditions of norm1 operation, including anticipated operational occurrences, and those transients and accidents of

&he types pmtentty considered i n the design b a r k analysis of the plant.

Consideration shall also be given t o outage a c t i v i t i e s to the extent that loss of operationat functions and capabilftiet inypact v i t a l equipment and areas.

Bac kq round The v i t a l equipment/area guidelines currently In use have evolved as follows:

o 10 CFR 7.2 defines i n general tern equipment and areas that must o 'Definition of Vital Areas,.

Revision-1, Review Guideline No. 17 be protected as vital, January 23, 1970 addresses i n general tennt the structures, systems and components t h a t should be protected a s vita?. I t also classifies v i t a l tqufpment/areat into two general categories -0 Type I and Type 11 o The LAN1 Vital Area Analysis Assumptions a n utllized by LANL under a technical assistance program to Independently identify v i t a l q u i p -

ment/artas a t power reactors.

o A Working Group t o Improve Vital Area Oeteminaltfon Techniques report of August 12, 1382, concluded that the technigutrs i n use, subject t o ncamnended modification, provide a reasonable approach, from a safe-guards persoective, to identifying v i t a l areas and equipment.

I t was tecomnended t h a t a research project be initiated to further refine and improve the omgram.

The research project I s not yet complete.

o NUPE6-0992, Hay 1983, prepared by the Cormnittee t o Review Safe-guards Requirements a t Power Reactors, endorsed the vita? Island concept and further Identified selected items o f equipment that should be independently protected as v i t a l a t a l l power nactors.

NUREG-1178 A-3 o The Proposed Insider Rule, published for public conanent bn August 1'1, 1984 would provide fr-the grouping of v i t a l areas i n t o 'vital Islands*

and require pmtect"Jn o f v i t a l equfpment only t o the extent necessary t o interrupt sabota3e paths 1TI. Organitatlon Two groups are established t o carry out thP study:

A V l t a 1 Area Cornittee and a Management Policy Revfew Group.

The V i t a t Area C m f t t e e i s thafted by Frank 3. Miragtfa, NRR.

I t s other members are Robert F. Burnett, WSS; James G. Partlaw, I; and Frank P. Gillcspie, RES.

The Management Polfcy Revfew Group fs composed o f Y k t o r Stella, DEDROGR; Harold R.

Denton, NRR; and John 6. Davfs, NMSS.

IV.

Responsibflitics A.

V i t a l Area Conmtttee o Recmend a proposed Action Plan with milestones and specific milestone schedut es.

o Reexamine at1 existing and proposed requirements, assumptions, guide-tines and their base for detcnntning vital equipment and ureas; either validate o r amdlfy tt,em appropriately.

o Recmend a clear, conrfstent and comprehensive set o f gujdtlines for determining v i t a l equipment and areas.

o Obtain and integrate necessary supportfng expertise I n the fonn of fnput t o the study e f f o r t and cannents on drafts, fm the l i n e organizattont represented on the Comnittee, as well as from other Headquarters Offfces, the Regions and contractors, as appropriate.

o Interact directly with the Hanaganent Policy Review Group as necessary to obtain guidance, direction and concurrence.

o Prepare draft reports wtth recamendations and supporting bases for Wanagtmant Policy Revfew Group *view and approval.

8. Management Policy Review Gmup o Approve the Actfon PIP, Its nfltstones and schedules.

o Meet periodically, us necessary and appropriate, wtth the Vital Are8 Camnlttcc t o provfde broad pollcy dfrection and guidance for the conduct of the study and t o discuss the study status, plans, progress and probl ans o Approve and Issue the flnal repott to the D O.

NUREG-1178 A-4 V.

P r e l imfnary Action Plan The following proposed Action Plan broadly de1i:neateo the major tasks and milestone schedule for accomplishing the specified effort.,

It w i l l be further refined by the Vital Area C m i t t e e and approved by the Manage-ment Policy Review Group.

( I ) I n i t i a l meeting o f the Vita. Area Cornittee t o fonnalire the approach, identify needed resources and develop the schedule.

Target Date:

Yeek 0 (2) Vital Area Comnlttee and supporting s t a f f me!et i n working tcsslons t o develop preliminary recomnendations wf t h rationale and justifica-tion.

Interacts with other Offices and s t a f f and with the Management Policy Review Group as necessary and appropriate.

Preliminary recomnend'a-tions presented t o the Hanagement Policy Review Group.

Target Date:

Week 17 (3) Management Pol fey Ravfew Group revf ews preliminary ffndings and provides guidance/recomnendations t o the V i t a l Area Cmittee.

Target Date:

Ueek 20 (4) V i t a l Area tomnittee integrates recamendations into draft vttal equfp-ment/area guidelines report.

D r a f t report ccmmpleted.

Target Date:

Ueek 25 (5) Draft report circulated for cements and concurrence from all cognlzant Offices. Carments/concurrence received.

Target Date:

Week 30 (6) Vital Area Comnlttee prepares f i n a l report for Management Pol iey Review Group approval Clanlagement Policy Revfew Group submits flnal report t o the EM.

Target Date:

Yctk 36 NUREG-1178 A-5

APPENDIX B REVIEW GUIDELINE 17 AND RElGULATORY ISUIDE 1.29 NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON. 0. C. 20555 MEMORANDUM FOR:

Reactor Safeguards Licensing Branch Members, DOR FROM:

Robert A. Clark, Chief Reactor Safeguards Licensing Branch, DOR DEFINITION OF VITAL AREAS, REVISION 1 -

REVIEW GUIDELINE NO. 17 SUB J ECT :

Enclosed i s Review Guideliine Number 17, i.e., the revised definition of v i t a l areas.

Robert: A. Clark, Chief Reactor Safeguards L i cerlsi ng Branch, DOR

Enclosure:

As stated NUREG-1178 B-1

DEFINITION OF VITAL AREAS AND EQUIPMENT Revision f A.

Applicable Sections o f 10 CFR 73 73.55 (c)(l):

"The licensee shall locate vital equipment only w i t h i n a vital area, which i n turn, shall be located w i t h i n a protected area such t h a t access to vital equipment requires passage through a t least two physical barriers of sufficient strength to meet the performance requirements o f paragraph (a) o f this section.

area may be located w i t h i n a single protected area."

73.2 ( h ) :

"Vital area means any area which contains vital equipment w i t h i n a structure, the walls, roof, and floor of which constitute physical barriers of construction a t least as substantial as walls as described i n paragraph (f) (2). I' 73.2 (ir:

" V i tal equipment means any equi pment, system, devi ce, or materi a1 failure, destruction, or release o f which could directly or fndirectly endanger the public health and safety by exposure to radiation.

Equipment or systems which would be required to function t o protect public health and safety following such failure, destruction or release are also considered t o be v i tal.'I More than one vital NUREG-1178 B-2

B.

Assumptions and Definitions In the application o f these regulations t o a typical LWR plant, the following considerations and assumptions are made:

1.

2.

3.

Paragraph 73.55 (c:)

requires v i t a l equipment t o be enclosed by two barriers. The combination of barriers, i n conjunction w i t h other components of the security system, must provide a sufficient delay t.0 an intrusion to meet the performance require-ments o f 73.55 (a).

To "endanger the public health and safety by exposure t o radiation" requires a significant off-site release of radioactivity.

For LWR's the following sources of signiffcant quarttities o f radio-activity should be considered:

a.

The reactor core,

b.

Spent fuel,

c.

Radwaste systlems, if the total radwaste inventory is greater than nxC, where:

n is the rlatio o f the applicable dose guideline o f 10 CFR 100 t o tlhe dose computed for accidental releases i n Chapter '15 of the FSAR, and is the release (curies) assumed i n the accidental release calculation of the FSAR.

c Vital Areas fall into two general categories:

a.

Type I vftal areas, i.e.

sabotage can Ibe accomplished by compromising or destroying those areas wherein successful NUREG-1178 B-3

the v i t a l systemsl' or components located within t h i s area.

(By def i n i ti on, an area contai n i ng sys tems o r components whose f a i l u r e o r destruction results i n a d i r e c t release i s a Type I v i t a l area.)

b.

Type I1 v i t a l areas, ie., those areas which contain systems o r components whose f a i l u r e o r destruction would lead t o successful sabotage only i n conjunction with additional sabotage a c t i v i t y i n a t least one other, separate-21 v i t a l area.

(Safety related equipment designed t o mitigate the consequences of f a i lures o f other systems usual l y fa1 1 s i n t o t h i s category. )

4.

When classifying v i t a l equipment as Type I o r 11, the following assumptions apply:

a)

The concurrence o f violent natural phenomena w i t h a security contingency need not be considered.

b)

Random (accidental) f a i l u r e o f equipment concurrent with a security conti ngency need not be considered.

security contingency during routine or p'lanned outages of However, a equipment, as permitted by the technical specifications, must be considered.

1 / "System" refers t o a1 1 components, mechanical and electrical, i n c l ud-i n g piping, cabling, power supply, and other support systems t o carry out the design function provided by the system.

2/ For the purpose o f t h i s discussion, a v i t a l area may be considered "separate" i f it i s separated from the area under consideration by a b a r r i e r o r distance s u f f i c i e n t t o delay the saboteur's access long enough t o demonstrate interception and engagement by the security response force.

NUREG-1178 B-4

c)

Loss of off-site power must be assumed since f t fs impractical1 t o protect transmission lines against sabotage.

C.

Discussion The definition of vit:a1 equipment, 73.2 ( f ),,includes equipment whose failure would lead to a direct release, as well as equipment required t o function for the protection of public health and safety following a postulated sabotage attack. This fs analagous to the definition of safety-related equipment, which includes primary fission product barriers, as well as the systems required to mitigate the consequences of a breach o f the barrier.

a l l safety related eqiiipment must be considered vital.

avoid duplication o f safety analyses, t h e systems listed i n Reg. Guide 1.29 should be considered vital.

Therefore, essentiall<y In order to I t should be noted thait a facility which provides sufficient delay time t o permit interruption of the external threat of §(a)(l) a t a i l vital area barriers, and for which adequate protection against the insider threat of §(a)(2) is provided for iill vital areas would meet the requirements o f 73.55 without the designation o f any Type I Vital Areas.

In practice, however, i t qs to the licensee's advantage to segregate vital areas into Type I and 11, i n order to take credit for the fact t h a t a saboteur could not achieve successful sabotage i n Type I1 vi tal areas without penetrating additional barriers.

NUREG-1178 B-5

0.

Review Guidelines -

1.

A l l systems l i s t e d i n Reg. Guide 1.29 as "Seismic Category I" are considered v i t a l.

vided by the lfcensee f o r any deviation from t h i s l i s t. )

Type I V i t a l Areas should be i d e n t i f i e d by the licensee, using the definitions and assumptions l i s t e d i n 8.

Areas are not i d e n t i f i e d by the licensee, the l i s t provided i n the Appendix may be used as guidance.

(A sound technical basis must be pro-

2.

If Type I V i t a l

3.

High assurance protection against the external and fnternal threat must be provided f o r a l l Type I V i t a l Areas.

This 1 requires a demonstration t h a t any external Type I v i t a l barriers provide sufficient delay t o the external threat

(!i(a)(l))

t o permit a timely engagement by the armed response force, and appropriately r e s t r i c t e d access controls, controls of a c t i v l t y, o r other methods o f protection against the insider, t o meet the fnternal threat (§(a)(2)).

For Type I1 V i t a l Areas, a combination o f multiple barriers, each o f which meets the requirements o f 73.2(f)(2) o r i t s equivalent, and the associated i

ndi v i dual access controls, provi des high asswance protect1 on against the external and internal threat.

NUREG-1178 B-6

Appendix SAMPLE LIST OF TYPE I VITAL A R

1.

Primary containment

2.

Containment e l e c t r i c a l and piping penetration areas

3.

Control room

4.

Cable spreading room

5.

Primary shutdown system (if outside containment)

6.

All areas associated with one complete decay heat removal system (including all necessary support systems, e.$

power supply, cool i ng, and 1 ubri c a t i ng systems : )

Battery rooms (including battery charger areas)

7.

NUREG-1178 El-7

U.S. NUCLEAR REGULATORY COMMJSSJON Revision 2 Fobrurry 1976 REGULATORY GUIDE OFFICE OF STANDARDS DEVELOPMENT REGULATORY GUIDE 1.29 SEISMIC DESIGN CLASSIFICATION A. INTRODUCTION nuclear power plants that should & deugned to with.

stand the effects of the SSE. -4 B. DlSCCLSSlON General Design Criarion 2. "Design Bases for Rotec-tion Agarnsi Narural Phenomena," of Appendix A.

'General Design Criteria for Nudeu Power Rants," to i0 CFR Parr 50. "Lcensing of Production and Utili=-

tion hcihties," rcquires that nuclear power plant structurei. system' and components important to safety be des1Ped 10 rlthstand the effecb of earthqmkes without IOU of upabihty to perform their safety tMCtIOI1S.

c.

After reviewing a ebst d:?rppbcationr for con-strucuon pcrmiu a# o h - n g x e n s e s for boihg and presumed w r t e m c h r p a r e r plants, the NRC staff has dewloped a e c

wen classiiication tyrirm for identifying p,ant,bturcs thaI huuld be deslped to withstanr!?hr.wffeck of the SSE. Those structures.

t y s t e n $ l g d ' ~ ~ e n t s that should be desiped to remain'&'-

if the SSE occurs have been dcsig

%*itategory I.

AppenQx B, 'Quality Assurance Criteru for Nuclear Power Plants and Fuel Reprocessing Planu." to 10 CFR Part 50 establishes quality assurance requirements for the design. construction. and operation of nuclear power @A that risk lo the Of tions and supports, arc designrted as Seismic Carqory I the pubLc The pertinent requirements of ad&

A and should be desiened to withstand the effects of the apply io dl acunues affectmg the safety C. REGULATORY POSITION Plant strUclUrCS*

Or componmts tht prevent-

-i%e following structures, system. a d compo.

nuclear power plant, mcludhg their founds.

the cJnvqucncer Of ptulrted accm*

>ts of uons of those structures, sysmns, and co Appendix A. "Seismic and for Nuckar Power Plants." to 10 CFR Part 100, "Reactor Site Criteria." requ-ges that dl nuclear power plants be designed to t 4 the Safe Shutdown Earthquake (SSE) o c c u r r ~ ~ e r.

systems. and components imporngk to *iy remain functional.

These plant featurg) are *se kcessary to ensure ( I )

the integrity of thereactohoolant pressure boundary,

( 2 ) the capabip9 tdLbut d m n the reactor and maintan i t in a safe *id*

candition. or (3) the capability to prcvent,or mh&c the consequences of accidents that could result in -till offsite expmures comprnble to the guidelne cxposurcs of 10 CFR Put 100.

This guide descnbes an acceptable method of identi-fyng and clasaifyrng those features of light-watcraoled SSE and remain lfunctlonal fhe peninenr quaLty assurance requrremenrr of Appndix B lo IO CFR Part 50 should be apphcd to-ail actrnues affecung the safety-related functions of these structures, syrtemr, and components.

a. The reactor coolani pressure boundary.

b. The reactor core and reactor vessel mternalr.

e. Systemsi or poruons of systems that are required for (1) emergency core coolng. ( 2 ) posucci-dent contamment heat removal, or (3) postaccident

'The system boundary indudes thow portions of the cystern rcquucd io rcwmplsh the spcuftcd d e t y funcuon and connected piprn: up to and rncludrng the rust valve tmclubng a safety or =bel valve) th.1 IS either normUy closed 01 capbk of auioma(I~ ckrun vhm the d e t y fuacuon u requued.

NUREG-1178 8-8

containment atmosphere. cleanup (e.g.. hydrogen re-

n. The control room. including its associated vital mom1 system).

equpment. cooling systems for vital equipment,,and life support systems, and any structures or equipment inside or outside of the control room whose failure could result required for (1) reactor shutdwn. (2) residual heat in i'lcapacitating injury to h e occupanu of the control roorn.

removal, or (3) cooling tk $pent fuel storap pool.

I Systenisi Or portions Of systtrms that arc

e. Those portions of the steam systcms of boiling water reactors extending from the outermost contain-mcnt isolation valve up to but not including the turbine stop valve. and connected pipi2g of 2-1/2 riaches ox larger nominal pipe size up to and including the first valve that is either normally c l a d or capable of automatic closure dunng aU modes of norm1 reactor operation. The turbine stop valve should be designed to withstand the SSE and maintain its integnty.

f. Those portions of the steam and feedwater systems of pressurized water reactors extenhng from and including the secondary side of steam generators up to and kcluding the outermost containnient isolation valves, and connected piping of 2-1/2 inches or larger nomind yip uze up to and includmg the first vaivc (incluLng a safety or relief valve) that is either norrmlly closed or capable of automatic closure during aU modes f normal reactor operation.

g. Cooling water, component cooling, and auxll-i u y feedwater systems' or portions of these systems, including the intake structures, that arc required for (1) emergency core cooling. (2) postaccident containment heat removal. (3) postacc 'ent contatnmcn't atmosphere

0. Primary and secondary reactor cor.tdnmenc.

p. Systems,,' other than radioactive waste manage-above that contaiin or may contain radioactive material and whose postulated failure would result in conscrva-ti;el:y calculated potential offsite doses (using mete-orology as prescribed by Regulatory Guide 1.3, "As-sumptions Used for Evaluating the Potential Radio-logical Consequences of a Lorr of Coolant Accident for Boiling Water Reactors," and Regulatory Guide 1.4, "Assumptions Used for Evaluating the Potential Radio-logical Consequenas of a Loss of Coolant Accident for Pressurized Water Reacton") that are more than 0.5 rem to Ore whole bod.3 or its equivalent to any pan of h e body.

,e ment systems? niot covered by items 1.a through 1.0 I

q. The Class 1E electric systems, including the auxiLary systems for the onsite electric power suppires, that provide the (emergency electric power needed for functioning of plant features included in items 1.a throu,b 1.p above.

2. Those portions of structures, systems. or compo-neno whose continued function is not required but cleanup. (4) residual heat removal from t h e reactor, or

( 5 ) cooiing the spent fuel storagc pool.

i. Systems' or portions of systems that arc re-

3. Seismic Category I design requirements should extenid to the firs!: seismic restraint beyond the defined boundaries. Those! portions of structures, systems, or components that form interfaces between Seismic Cite-gory 1 and non-Seismic Category I features should k dengned to Seirmilc Category 1 requirements.

quired to supply fuel for emergency equipment.

j. AI1 electric and mechanical devices and circuitry between the process and the input terminals of the actuator systems involved in generating signals that imtiate protective action.

k. Systerrrri or portions of systeiiis that are required for (1) monitoring of systems iimportant to safety and (2) actuation of systems important to safety.

I. The spent fuel storage pool structure, includmg the fuel racks.

m The reactinty control iystenu, c.8.. control rods. control rod driver. and boron inJcction system.

'See footnote 1. p. 1.29-1.

4. The pertinent quality assurance requirements of Appendix B lo 10 CFR Part 50 should be applied to all activities affecting the safety-related functions of those portions of structures, systems, and components coveted under Regulatory Positions 2 and 3 abovt.

'Linea i n L u t c substmow changes from previous usue.

'Wherever practical. stzuc:urei and equipment whose fulwe could; possibly ~ U I I auch wqunes should be rrlouted or separated to :he txtu:ni required to eliminate this posribllty.

'Specific Budana 011 seismic nquuementr for radioacme waste mmqemcnt lystcm:i i s undcr development.

1.29-2 NUREG-1178 B-9

APPENDIX C ACTION PLAN MEMORANDUM DATED JULY 1, 1985 NUREG-1178

UNITED STATES NUCLEAR R EGULAI'ORY COMM lSS ION WASHINGTON 0. C. 20555 MEMORANDUM FOR: Victor f t c l l o, DeDuty Executive Director for. Reoional Operations arld Generic Requirements Parold R. Denton, Director Office of k c l e a r Peactor Regiulation John G. Davis, Director Office of Nuclear Mat,erial Sa-Fcty and Ssfeauards FROM:

Frank 3. Miraglia, Chairman V i t a l Area Committee SUR JECT :

VITAL EQUIPMENT/AREA GllI DELINES STUDY ACTJOK PI-PF'

References:

1.

Pernocandm from Will iarr! 2. Dircks, " V i t a l Equipment:/Area

2.

Memorandum from Frank J. Miragilia, "Vital Eouipment/Area Guidelines Study,"

dated May I, 19eS.

Ge!dclines Study Actilon Plan," dated May 21, 1985.

3.

Memorandum from Frank J, Msraglia, " V i t a l Equipment/Area Rased upon discussiops a t our meetings w i t h the Management Policy Review Group on June 4 and June ?5 and further cansfderatiw by the V i t a l Area Committee, we h a w w4iified and f i n a l i z e d the action p l m t o r e f l e c t your guidance and recomnendations.

We plan t o proceed w i t h the study i n sccordance with t h i s sctian elan, which i s enclosed, unless you d i r e c t us crtherwi se.

Guidelines Study Pevised Action Plan,"

dated June 17, 1365.

We w i l l meet with you atpain i n l a t e Ju'ly t o review our progress and status.

Enclosure:

As stated Frevk 3. I.liraalia, Chairman V i t a l Area Cornittee cc w/enclosure:

T. Murley, Administratalr, Region I

3. Nelson Grace, Aclninistrator, Region I1 R. Burnett, Director, Division of Safeguards, NMSS-J. Patflow, Director, b i v i s j o n o f Inspection Programs, IE F. Gillespre, Pirector,, Division of Risk Analysis and Operations, RES NUREG-1178 c-1

ENCL OS U RE VITAL EQUTPHENT/AREA GlITFFLIF!ES STUDY ACTJON PLAN Objectives o f Study Develop a cwprehensive and cclnsf stent set o f recommended assumptions, performance c r i t e r i a and guidance, in a report t o the DO, f o r determining vfta eqtrippent/areas i n nuclear power plants.

The assumptions and guidmce should:

1.

Copsider condf tians o f normal operation, including anticipated operational occurrences, and those transients and accidents of the types presently considered i n the design basis analysis o f nuclear p w e t -.

plants;

2.

Consider outage a c t i v i t i e s t o the extent t h a t loss of c p w a t i o n a l functfavs a*c cepabil f t i e s durfng outages impacts vf t a l equipment;

3.

Re r e a d i l y applicable t o i d e n t i f i c a t i o n of required vital aqufppent and areas on a case-by-case basis; and

4.

Have review and concurrence of a l l cognizant offices.

Prctiminarv Rasfc Assumptfons The V i t a l Area Committee (VAC) has established the followinq basic assumptions a t the inception of the study.

changed, if necessary and wfth MPRG approval, as the study proceeds,

1.

The design hasis threat of radiological sabotage i s as defined i n 10 CFP 73.l(a).

2.

Conformance with the requirements o f 10 CFR 73.55fb)-(h) provides high assurance of prntectfon against the design basis threat.

This recognizes t h a t the Cnm$ssian i s considering improved access control rP?cvant t o 10 CFR 73.55(d).

These assumptfons w i l l be reexamined and

3.

Successful rsdiotoglcal sabotage r e s u l t s i n doses in excess cf those defined on 10 CFR 100.

The study w i l l consider protection against r a d f r l c a f cat sabotage only and will not address non-radiological sa bo t a ge,

Scope of Study The V i t a l Area Committee (VAC! will:

I.

Peview all regulations, guidance, definitions, assumptions and c r i t a r f a currevtly i n effect related t o determfnatfon of v f t a t equipment and areas; NUREG-1178 c-2

2.

3.

4.

Cetermine the present status o f the application of the items i n ( 1 '

P h w e t o various vintages of p l a n t s t o establish what staff practice h2s been and is a t present w i t h respect t o approving designated vital eouip-mevt and areas; Identify any doficiencies, ambiguities, inconsistencies and other problems in the present regulatory approach; R e v ? w cvd evaluate recent and current staff proposals, proposed rules, etc., as they relate t o and impact v f t a ? equfpment and arpas.

exanp?e, this would f nclode the following:

Fer

a.

b.

C.

d.

e.

f.

9.

Protectfon nf event rnitioeting capabil itiles and their support facilities; e,g,, water sources, pumps, switchgear, cable runs; Constraf nts w v i t a ? island concept and compartmental iration requi remev t s ;

Acceptable f i n a l state (hot vs. cold shutdown), required duratfon of t h a t state, reliance on oufsfde assistance, and consideration of normal equfpment repair c a p a b i l f t i c s ;

Provisions for compensating f o r v i t a l equipment which is out rf service for maintenance; Credit for plant-specific features and Capahflftfes such as feed-a nd-hl eed ;

Information, data and recomendativs from recent staff and contractor studie!~ as well a s operational experience relevant t o vita7 equipment and areas; and Methods used tc protect critical equipment. for other purposes, such (IS fire protection, Study Met h odo 1 o gy The following approach is plcmed for Vital Area Committee information and data wquisition and assessment:

1.

Independent VAC review and evaluation of a l l relevant docore'ntation; and

2.

P series o f briefings t o the VAC by staff and NRC contractors, as outlined i n Attachment 1 (note t h a t these briefings have been crmpleted).

Schedule The attached fioure (Astachment 2) shnws the milestones and target dates for the first phase of the study which w i l l prmtucc preliminary recomnendations to the Management Policy Review Group (MPRG).

The balance of the study will involve obtaining necessary concurrences,of the recommendations and preparing a report.

NUREG-1178 c-3

PTTP.CHF?ENf 1 BRIEFING SCHEDULE FOR 'VITAL &RR 'C'OP4MfYTEE Session 1 - ?!a!# 71, ?OPE, 1r):dO a.m. Room 3342 Air Riahts a

Current practices far pre-liccnsfng vital area reviews - NPSS LANL vltal area analyses - 1ANl Vital area crlteria for RR revfeus - KHSS SumnEry of Insider Rule - NHSS 1 -

Sessior) 2 - Pay 30, 1985, 9:00 a.m.

Room P-423 P h i l t i p s a

a c,

RES/LANL vital area study - LAPL Evaluation of current definitions and assumptions on v i t a l arecf - rpp/osr Appendix R, Fire Protection - NRR/DSI Generic Issue A-29, "Ftuclecr Power Plant Desfgn f o r the Reduction of Vulnarahftt?y to Sabotage - NRR/DSI Vltal area inspectfon program - IE V i t a l area tnspection proaram fmplementatfav a p t ! critique of current assumptions and suggested changes - Regions I 8 ?I Session 3 - June 6, 1985, 9:OO a.m.

Room P-422 Phillfps US1 A-45, "Shutdown Decay Heat Removal Requfrements" - tJF?R/bST Review o f "Precursor Studies o f Fisk Analysis o f Several Know Safeguards Events" - RES Pevlew o f "Nuclear Power Plant Damage Control Measures" - RES NUREG-1178 c-4

r CI U

co Actlvl t v 7

I n l t l a l VAC Meetlna Finalize Study Actton Plan r )

I VI WRG Approves A c t t w Plan Revlaw of Relevant Documntat!am Brleflngs to YAC I)eve1op Assumption end Guldci lne R ecomnenda t 1 ans Prel imlnsry Rccamnenda t 1 ons Preoen ted t o MPRB VAC Heetf ngs nl th WPRG VAC Uorklng Sessions SchPdult! For I n i t f a l Phase of Study Week o f Jul v August September June May 6 13 20 27 3 10 17 24 1 8 15 22 29 5 17 19 2 7 9 a

0 0

0 e

0

APPENDIX D

SUMMARY

OF BRIEFINGS TO THE V I T A L AREA COMMITTEE NUREG-1178

I n a series of 13 b r i e f i n g s delivered t o the V i t a l Area Committee (VAC) between May 2 1 and September 12, 1985, NRC staff members and contractors from the Los Alamos National Laboratory (LANL) augmented the VAC review t o determine what v i t a l equipment and which v i t a l areas i n nuclear power plants required protection against radiological sabotage.

Each o f 11 b r i e f i n g s discussed an individual subject.

2 subjects, respectively.

1.

Current Practices for V i t a l EquipmentIArea Reviews Two o f the b r i e f i n g s ( B r i e f i n g 6 and 10) discussed 3 and Each o f the b r i e f i n g s i s summarized br JW.

D. Kasun (NMSS),

May 2!1, 1985 This b r i e f i n g gave the h i s t o r y o f the review o f v i t a l equipment as defined i n 10 CFR 73.2(i) and Review Guideline 17, which require t h a t essentially a l l safety-related equipment be considered v i t a l.

Some o f the e a r l y plans protected only Type I equipment and areas (those where a single successful act of sabotage could lead d i r e c t l l y t o a 10 CFR 100 release).

i d e n t i f y LOCA-mitigation or emergency power as v i t a l.

Many plans d i d not specify onsite water sources as v i t a l.

Because of such v a r i a b i l i t y i n applica-t i o n o f the guidance, NRC contracted w i t h LANL i n 11978 t o perform a v i t a l area program rev i ew.

Other plans d i d mot From 1980 t o 1983, NRC required applicants t o follow Review Guideline 17, essentially without deviation, except t h a t during t h i s period, the s t a f f accepted v i t a l equipment designations approved p r i o r t o 1980 on f i r s t unrts f o r subsequent u n i t s a t m u l t i - u n i t sites.

Since June 1983, a l l plans f o r plants being licensed have been i n f u l l compliance w i t h Review Guideline 17, which means thiit essentially a l l safety-related equipment i s protected as v - i t a l.

The SER i s used t o i d e n t i f y safety-related systems and components and iippl icants pl; 3s are required t o demonstrate t h a t t h i s equipment i s located i n v i t a l ardas.

Other relevant current practices require t h a t barriers t o v i t a l areas be s o l i d and substantial, and completely enclose the v i t a l equipment.

Seismic Category I reinforced concrete water tanks inside protected areas are accepted as i s.

Accessible openings are not permitted.

Devitalization o f c e r t a i n areas i s permitted when the reactor i s i n the cold shutdown condition.

However, the control room, containment, a l a r m stations, and emergency power, wa%er, and HHR equipment necessary t o main-t a i n the reactor i n a safe shutdown conditlon are not devitalized.

The spent f u e l pools are normally c l a s s i f i e d a!;

v i t a l areas.

2.

V i t a l Equipment/Area Protection History and Assumptions R. Haarman (LANL) May 21, 1985 The development o f the Los Alamos National Laboratory (LANL) v i t a l area program and i t s implementation were outlined.

National Laboratory, and the generic f a u l t trees were described.

developed for use i n the v i t a l area analysis program.

The SETS Code, developed by Sandia, Both were NUREG-1178 D-1

The LANL v i t a l area analysis involves a preliminary detailed review o f the FSAR.

review.

generic f a u l t t r e e t o the site-specific data.

A computer analysis i s then conducted using the SETS and f a u l t t r e e techniques t o define the minimum equipment required t o be protected as v i t a l.

A f t e r a review and check f o r accuracy and consistency, the r e s u l t s are submitted t o the staff.

The s i t e i s then v i s i t e d by a Los Alamos team for f u r t h e r specific The f i e l d data are reduced i n t o computer input and used t o t a i l o r the

3.

V i t a l Area C r i t e r i a for the RER Program B. Mendelsohn (NMSS), May 21, 1985 The objectives o f the Regulatory Effectiveness Review (RER) program were out1 ined.

They are to:

security system effectiveness, (3) assess contingency response capabilities, (4) assess safety/safeguards interfaces, (5) i d e n t i f y potential generic safe-guards issues, and (6) validate the regulatory base.

( I ) validate the LANL v i t a l area analysis, (2) assess implemented The process of the RER involves a preliminary analysis o f s i t e data, followed by an onsite review and a documentation o f the results.

phase involves i d e n t i f i c a t i o n o f needed changes t o LANL f i n a l i z a t i o n of d r a f t v i t a l area d e f i n i t i o n s, review by NRR and transmittal o f the findings t o the licensee for consideration and appropriate action.

The post-review Program concerns were i d e n t i f i e d w i t h respect t o the regulatory basis, i. e.,

the ambiguity o f the 10 CFR 73.2 d e f i n i t i o n of v i t a l equipment and the implemen-t a t i o n o f the minimum protection set under the current rule.

The use of RER reports by licensees as bases f o r 10 CFR 50.54 security plan changes and the p o s s i b i l i t y o f diminished security effectiveness i f too much equipment i s designated as v i t a l equipment were also i d e n t i f i e d as program concerns.

Suggestions f o r changes t o the LANL v i t a l area modeling assumptions were als-made.

4. -

The Safeguards Insider Rules P. Dwyer (NMSS),

May 21, 1985 The components, access authorizations, pat-down search, and misce? laneous amendments o f the current Safeguards Insider Rulemaking package were presented and discussed.

The " v i t a l island" concept also was discussed.

Some of the stated advantages o f the v i t a l island concept include:

obstacles t o emergency access/egress and protection o f co-located v i t a l equipment using e x i s t i n g common barriers.

reduced As a r e s u l t o f public comment and other considerations regarding the Safeguards Insider Rules, the following actions have been planned o r taken:

(1) the NUMA4 proposal for an industry-regulated access authorization program i s being considered by the Commission as ir.n a l t e r n a t i v e t o the rulemaking and (2) the v i t a l island concept was deleted from the Miscellaneous Amendments pending completion o f the v i t a l equipment/area study and the recommendations af the V i t a l Area Committee.

NUREG-1178 D-2

5.

The V i t a l Equipment Determination Research Study P. Pan and A. Neuls (LANL), May 30, 1985 The categorization and status o f the following 12 research topics were discussed.

(1) I d e n t i f y i n g individual safety-related cables (2)

D i sabl i ng compl ete cab1 e t r a y s

( 3 ) Disabling systems needed during shutdown o r refueling conditions (4)

Disabl ing sensor systems, instrumentation and non-safety-related control systems (5) Treating s p a t i a l l y extended systems and components (i

.e.,

piping, e l e c t r i c a l distribution, and heating, ventilation, and a i r con-d i t i o n i n g (HVAC) systems)

(6)

Scenarios involving a i r systems (7)

Disabling e l e c t r i c a l ebquipment by grounding o r l i f t i n g o f grounds (8) Relating best-estimate analyses of p l a n t respanses t o systems failures t o the corresponding Final Safety Analysis Report (FSAR) analyses (9) E f f e c t i v e inclusion of random events, such as anticipated trans-ients, i n faul t - t r e e methodologies (10) Possible system f a i l u r e s a f t e r which stable hot shutdown cannot be maintained i n d e f i n i t e l y (11) Considering the use o f non-safety-related equipment, unanalyzed procedures, o r operator ingenuity t o recover from system f a i l u r e s

( 12)

Reactor protection system vulnerabi 1 i t;y Of these 12 research topics, LANL considers only the f i r s t one resolved.

The LANL analysis o f the cable i d e n t i f i c a t i o n assumption analysis included reviews of plant documentation and interviews o f plant, construction, and vendor personnel a t several operating plants.

The results show that, with very few exceptions, the individual cables cannot be i d e n t i f i e d i n cable trays, and t h a t the issue of cable i d e n t i f i c a t i o n has no impact on current f a u l t tree modeling o f assumptions.

LANL i s s t i l l reviewing the remaining eleven v i t a l area topics.

NUREG-1178 D-3

6.

(a) Current Definitions and Assumptions on Vital Areas (b) 10 CFR 50, Appendix R, Fire Protection (c) Generic Issue A-29, Nuclear Power Plant Design for the Reduction J. Wermiel and A. Singh (NRR),

May 30, 1985 o f Vulnerability to Sabotage The discussion included an approach to identifying vital equipment which pro-tects the reactor coolant pressure boundary and one train of equipment needed for achieving hot shutdown, assuming loss of offsite power. This approach was explained in the context of the IO CFR 50, Appendix R, post-fire safe shutdown requirements, wherein hot shutdown is to be achieved independent of postulated fire damage in any plant area.

Additional considerations were discussed pertaining to vital areas, including:

(1) Alternate or remote shutdown panels should always be considered as vital equipment since shutdown capability independent o f the control room must be available and (2) when a vital component is inoperable for maintenance for longer than a few hours, a backup component should be available and temporarily protected as vital i n order to maintain one train f o r shutdown at all times.

Generic Issue A-29, which is evaluating various system designs, plant layouts and safeguards a1 ternatives for effects on reducing vulnerability to sabotage in new and o l d plants was also discussed.

7.

The Vital Area Inspection Program L. Bush (IE), May 30, 1985 The inspection procedures for identifying vital equipment/areas are primarily based upon the commitments contained in the licensees security plans.

inspectors verify through onsite inspections that the equipment and areas designated as vital are afforded the level of protection required by the approved security plans and the regulations, IE is in the process of developing a training program for regional inspection staff personnel in the methodologies used in the identifying vital systems, equipment, and areas requiring protection.

The

8.

The Vital Area Inspection Program: Implementation and Critique of Current Assumptions and Suggested Changes T. Martin and G. Smith (RI); K. Barr (RII), May 30, 1985 The various &+proaches to protecting vital equipment/areas taken by licensees in Regions I and I 1 were discussed. The number of areas in nuclear power plants designated as vital ranges between 3 and 22.

areas with some compartmentalization are generally used.

that consideration be given to protecting only certain key vital areas in conjunction with use of the two-man rule.

Enveloping It was suggested NUREG-1178 D-4

Concerns were discussed about lack of consistency in identifying vital equipment/

areas at recently licensed plants. On a generic basis!, Region I 1 agreed with the vital island concept contained in the proposed Safeguards Insider Rules package. This approach, along with a more stringent ac:cess authorization program, would go a long way toward resolving the Regicin 11 concerns.

9.

US1 A-45, "Shutdown Decay Heat Removal Requi rements,"

A. Marchese (NRR),

June 6, 1985 The specific objectives of this unresolved safety issue (USI) resolution program, which were outlined, include:

heat removal in existing nuclear power plants for achieving both hot shutdown and cold shutdown; (2) evaluation of the feasibility of alternative methods for improving decay heat removal, including diverse a1 ternaltives dedicated to decay heat removal; (3) assessing the value and impact of the! most promising alterna-tive methods; and (4) developi,ng a plan for implementing new licensing require-ments for decay heat removal, including developing a comprehensive and con-sistent set of decay heat removal requirements.

(1) determination of the safety adequacy of decay Some general findings have revealed that co-locating redundant safety equip-ment and support systems in relatively large open compartments provides a variety of opportunities for adverse insider activities.

Some sabotage countermeasures were discussed, ranging from procedure changes and equipment modifications to independent decay heat removal systems.

A summary of European experience provides evidence that, in the long run, it i s more economical to construct an independent dedicated system than to make piece-meal changes throughout the plant.

10. (a) Precursor Studies of R i s k Analysis of Several Known Safeguards Events -

Nuclear Power Plant Damage Control Measures P. Ting (RES),

June 6, 1985 Eleven safeguards events selected by NMSS were discussed from an accident sequence precursor standpoint,to provide an estimate o f the contribution of these deliberate acts to the susceptibility of operatinlg power reactors t o severe core damage.

All 11 events, zs reported, were considered benign from the standpoint of potential severe core damage.

Information concerning intent of the person causing each event is unknown, and hence the likelihood! o f additional deliberate acts as a part of each event cannot be estimated.

The main objectives o f damage control measures for sabotage mitigation are:

(1) to restore or maintain a functional capability and (2) to extend time avail-able to restore a capability lost as a result of sabotage.

control measures considered inlcluded using existina systems in normal or alter-nate modes o f operation, i.e. s required equipment in-place and system-level design changes.

Conventional (damage control measures were not considered.

Some o f the damage NUREG-1178 D-5

Some examples o f types o f systems-leyeJ, d e s i p changes :mwdrJered f o r PWRs and BWRs include:

Sys tem High-pressure cool ant Modify f o r suppression pool feed-and-bleed i n j e c t i o n (BWRs) cooling Modi f i ca ti on Safety i n j e c t i o n system (PWRs)

Cross-connect t o substitute for AFW system Some conclusions drawn from the review o f the research projects indicate that:

(1) Damage control i s not a stand-alone safeguards measure f o r sabotage m i t i g a t i o n but can be an e f f e c t i v e p a r t o f an integrated safeguards sys tern.

(2)

Many design features t o f a c i l i t a t e damage control are not included i n current plants.

( 3 )

11.

Systems used f o r damage control must be protected as v i t a l.

Equipment Requiring Protection Under Various Condition Assumptions J. Wermiel (NRR);

B. Mendelsohn and D. Kasun (NMSS), August 1, 1985 I n support of the V i t a l Area Committee's evaluation o f the current v i t a l equip-ment/area analysis assumptions, supplementary b r i e f i n g s by NRR and NMSS staff were made i n a number o f areas related t o system response t o sabotage.

NRR i d e n t i f i e d the equipment i n one t r a i n needed f o r hot and cold shutdown.

For c o l d shutdown, only c e r t a i n RHR-related equipment i s needed beyond that required f o r hot shutdown.

between equipment needed t o maintain hot shutdown f o r 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and t h a t required t o maintain shutdown f o r 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months except f o r additional water supply.

NRR commented cn the e f f e c t s o f t o t a l loss o f a l l ac ( s t a t i o n blackout) and dc power on the a b i l i t y t o achieve and maintain safe shutdown.

The ma,jor impacts would be:

i n a b i l i t y t o monitor p l a n t status (loss o f dc power), and i n a b i l i t y t o provide reactor coolant pump seal cooling and primary makeup (loss of ac power 1.

I t was also noted t h a t there i s no difference NRR stated t h a t because o f 10 CFR 5@, Appendix R, f i r e protection require-ments, 1 icensees have catalogued and documented power, control, and instrumen-t a t i o n cable runs so t h a t those associated w i t h v i t a l equipment are more r e a d i l y identif2,ble than was the case before the Appendix R requirements existed.

NUREG-1178 D-6

Finally, NRR indicated agreement with the assumption t h a t a loss o f o f f s i t e power i s the bounding transient with respect t o challenge o f safety systems i n a PWR.

NMSS i d e n t i f i e d specific pileces o f equipment requiring protection as v i t a l i n recently licensed PWRs and :BWRs.

These include a u x i l i a r y shutdown panels, en though they might not Ibe safety-related, and v i t a l water sources, includinq

,i s t r i bution sys tems.

NMSS also discussed the implications o f s t a t i o n blackout t o a 10 CFR 100 release following a sabotage event and reaffirmed t h a t a source of 125-volt dc control power and 120-volt ac-instrument power are assumed necessary for safe shutdown i n the RER v i t a l area validation program.

12.

Selected V i t a l Equipment Assumptions P. Pan and D. Cameron (LANL), August 8, 1985 LANL representatives cognizant o f v i t a l equipment-related technical assistance efforts sponsored by both NMSS and RES briefed and participated i n discussions with the VAC on the rationale for implementing several o f the currently used analysis assumptions.

The following points were made regarding the assumptions discussed (see Appendix E).

(1) Assumption on core melt - LANL's modeling assumes that the core must be kept covered w i t h water and decay heat removal capability must be ma,in-tained t o preclude core melt, and an attendant 10 CFR 100 release.

(2) Assumption on i d e n t i f i c a t i o n o f cables i n cable trays - LANL r e i t e r a t e d i t s e s r l i e r position that, on the basis of LANL studies, plant v i s i t s, and discussions with u t i l i t y personnel, i t i s normally not possible t o i d e n t i f y individual cables i n cable tra,ys.

However, i n satisfying 10 CFR 50 Appendix R requirements, licensees have prepared documentation t h a t i d e n t i f i e s cable routings and locations.

Therefore, a1 though a saboteur might not be able t o i d e n t i f y a specif.ic cable among many i n a tray, the saboteur could know t h a t a certain cable i s found i n a specific tray.

I t was noted that destroying o r disabling o f power, control, o r instrumen-t a t i o n cables t o v i t a l components i s unacceptable and, i f such cables are determined t o be vulnerable, they would have t o be protected. It was a l s o noted t h a t by indiscriminately destroying an e n t i r e cable tray, the saboteur might also be eliminating cables necessary t o the success o f the a c t of sabotage.

(3)

The VAC-proposed d r a f t assumption on disabling valves and other equip-ment - This i s essentially covered by the assumption which states that. i f a saboteur gets i n t o a single area, he o r she can disable a l l equipment i n t h a t area.

By making a few minor changes t o the,fAtter assumption, t h i s one can be deleted.

A related p o i n t was made concerning diver-sionary flow. That i s, i f a pipe t h a t comes o f f a v i t a l pipe l i n e i s destroyed and i f a pipe t h a t i s destroyed i s o f significant size rela-.

t i v e t o the main pipe, essentially the main pipe has been destroyed.

NUREG-1178 D-7

( 4 )

Assumption on operating modes - Although in most cases, vital equipment identified for sabotage acts during full-power operation would include as a subset vital equipment needed for other modes, such as shutdown or re-fueling, this needs to be verified on a case-by-case basis to be sure.

it was noted that some licensees may devitalize certain components and systems during cold shutdown and refueling so that compensatory measures might be needed.

Also,

( 5 ) The VAC-proposed draft assumption on check valves - It was noted that all check valves should be considered invulnerable to sabotage from remote locations because:

(a) check valves (except motor-operated) cannot be manipulated and, therefore, can be considered an integral part of the pipe, and (b) it is easier for a saboteur to achieve his/her purpose by destroying the pipe.

13. US1 A-44, Station Blackout A. Rubin (NRR),

September 12, 1985 The Committee was briefed on the status o f the Station Blackout U S I, which involves loss o f all offsite and onsite ac power, because of its relevance to identification of equipment and systems required to achieve and maintain hot shutdown.

The proposed technical resolution to this US1 would require plants to cope with a loss of all ac power either for 4 or 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , depending on the reliabilitv of their power grid and their onsite emergency power supply.

are the coolant pump seals, and licensees would be required to demonstrate that leak rates throqh the seals during the blackout period remain low enough to preclude core uncovery.

The critical items On the basis o f this briefing, the Committee concluded that the results of these US1 analyses, demonstrating self-sufficiency for at least 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in the absence of any ac power, are relevant to the identification of equipment required to be protected as vital.

NUREG-1178 D-8

APPENDIX E CURRENT LANL V I T A L EQUIPMENT/AREA ANALYSIS ASSUMPTIONS NUREG-1178

Current assumptions made by analysts a t the L.os Alamor; National Laboratory about sabotage involving v i t a l equipment and v i t a l areas i n a nuclear power p l a n t i

ncl ude :

1.

2.

3.

4.

5.

6.

7.

A 10 CFR Part 100 release i s the successful sabotage c r i t e r i o n.

A s i g n i f i c a n t core melt mwil vessel and containment and.ubsequently w i l l r e s u l t i n a 10 CFR 100 release, based on three modes o f f a i l u r e (see WASH-1400):

probably lead t o a breach o f the reactor steam explosion containment overpressure China syndrome The use o f explosives i s included i n the analysis.

A l l types o f explosives, including shaped charges, are assumed t o be available t o the saboteur, and the s t a f f assumes the saboteur has the necessary s k i l l s t o use them.

amount o f explosives i s assumed t o be what can be carried on an i n d i v i d u a l ' s back.

The The licensee cannot take c r e d i t f o r a v a i l a b i l i t y o f o f f s i t e power.

assumption i s based on the f a c t t h a t o f f s i t e power i,s transmitted by f a c i l -

i t i e s outside the protected area and hence, i s completely vulnerable t o outside assault.

Note t h a t there are scenarios i n which it i s t o the saboteur's advantage t o maintain o f f s i t e power and, i n a l l these cases, the automatic scram features are included.

Therefore, it i s the NRC s t a f f p o s i t i o n t h a t protecting these features as Type I V i t a l i s adequate protection.

This If the saboteur gains acces!: t o those areas where the reactor protection system (rod scram equipment) can be disabled, a fuel m e l t incident w i l l occur.

This assumption i n f e r s an i n i t i a t i n g event t h a t requires a p l a n t scram.

The vast number of areas where these i n i t i a t i n g events can be caused has motivated the NRC t o adopt the position t h a t protection of the rod scram as Type I V i t a l obviates the need t o protect those areas where the events can be i n i t i a t e d.

If a saboteur gets i n t o is single area containing several pieces o f equip-ment, he can disable a l l of the equipment i n that. ar'ea.

The saboteur i s assumed t o be knowledgeable o f a l l scenarios, which i n f e r s t h a t s t a f f analysis i s extremely conservative.

Hlowever, there are some d e t a i l s o f the p l a n t t h a t are not practical t o determine o r are too d i f f i -

c u l t t o v e r i f y i n the f i e l d, as the routing of cables i n cable trays and conduit.

It i s usually d i f f i c u l t f o r maintenance) personnel t o i d e n t i f y cable runs.

However, i d e n t i f i c a t i o n of terminal boxes and junction points i s a p r a c t i c a l task, hence cable junctions are i d e n t i f i e d i n the analysis.

Furthermore, there are slcenarios for which the saiboteur needs power t o perform sabotage successfully, so the indiscriminate c u t t i n g o f cables (hence the protection of a l l cable trays) would not be t o the saboteur's advantage.

NUREG-1178 E-1

8.

The code does not go i n t o d e t a i l on exactly how the saboteur disables equipment; the code assumes the saboteur has s u f f i c f e n t knowledge of motors, pumps, motor control centers, etc. t o disable the system.

The analysis i s performed assuming the reactor i s i n the operating mode, and other conditions (such as shutdown and refueling) are subsets of the operating mode.

sabotage caused by a saboteur located outside the containment.

9,.

10.

Check valves located inside the containment are considered "safe" from

11.

The saboteur cannot take c r e d i t f o r random f a i l u r e s o r the concurrence of v i o l e n t natural phenomena with sabotage; however, it i s reasonable t o assume the saboteur can take advantage o f equipment unavailable on planned outages.

Therefore, Technical Specification requirements f o r operation w i t h minimum equipment are considered.

12. The licensee need only consider maintaining the p l a n t a t hot shutdown conditions.

Primary system leaks are considered on a plant-specific basis.

13. Obviously, i n many of the assumptions, c e r t a i n judgments must be made re-garding damage control measures t h a t can be taken by the licensee on a site-specific basis; however, the NRC s t a f f ' s guidance has been very conserva-t i v e and does not usually permit the licensee damage control credit.

14.

An important assumption made i n determination o f area boundaries i s t h a t for f l e x i b i l i t y of analysis only, the s t a f f considers any area t h a t has four walls, a c e i l i n g and a f l o o r t o be an area.

centers o r e l e c t r i c a l racks could be separately protected, they are also considered as areas.

Where motor control

15.

Loss o f a l l ac power ( s t a t i o n blackout), plus loss o f dc power f o r instru-ments and c r i t i c a l equipment, w i l l lead t o f u e l melt (NHSS s t a f f position).

16. A bounding transient (PWR) i s considered t o be loss o f o f f s i t e power.

This has been assumed t o be the most s i g n i f i c a n t transient i n t h a t it disables the reactor coolant pumps and shuts off feedwater t o the steam generators.

A comparison o f transients i n a plant p r o b a b i l i s t i c r i s k analysis showed t h a t the equipment required t o protect against t h i s transient includes a l l, o r nearly a l l, o f the equipment demands of other transients.

This places almost t o t a l re1 iance on m i t i g a t i o n systems

( a u x i l i a r y feedwater) t o remove the decay heat.

On a generic basis, how-ever, t h i s transient places no demands on primary loop inventory control.

A research group has been reviewing the needs for primary inventory control t o protect against radiological sabotage.

NUREG-1178 E-2

APPENDIX F" DISPOSITION OF COMMENTS RECEIVED ON THE DRAFT VITAL EQUIPMENT,/AREA GUIDELINES STUDY AND COMMENTS RECEIVED ON 'THE DRAFT VAC REPORT

Designated "Enclosure 2" i in March 5, 1986 inemorandurn transmi tti ng V i t a l Area Committee Final Report.

NUREG-1178

Disposition of Comnents Received on the D r a f t V i t a l Equipment/Area Guidelines Study The d r a f t VAC report was transmitted on October 21, 1985, with a request for comments to:

Director, O f f i c e o f Nuclear Reactor Regulation (NRR)

Director, Office o f Nuclear. Materials Safety f Safelguards (NMSS)

Director, Office o f Inspection & Enforcement ( I )

Director, Office o f Nuclear Regulatory Research (RES)

Administrator, Region I ( R I )

Administrator, Region I 1 (R:II)

Administrator, Region 111 ( R I I I )

Administrator, Region I V (RIV)

Administrator, Region V (RV)

In response t o t h a t request, comments were received from each addressee.

The o r i g i n a l comments a r e attached as an appendix t o t h i s summary discussion of t h e i r disposition.

and the disposition of each comment i s discussed below.

Each comment was accomhodated by modifying the report appropriately cw a reason given f o r not doing so.

The comments are referenced by the assumption number i n the draft report, use o f the abbreviations indicated above and the pages/items i n the Appendix t o t h i s summary.

The V i t a l Area Committee carefulMy considered each comment Assumption 1 Comment:

Suggested t h a t a d e f i n i t i v e statement be mad( t h a t the containment building, o r drywell i n a BWR, be v i t a l.

Also suggesteu t h a t there may be a c o n f l i c t between t h i s assumption and assumption #11, which allows the saboteur m u l t i p l e actions on a l l v i t a l equipment i n a single area.

( R I I, Page 2 )

Response

primary coolant pressure boundary as v i t a l would be accomplished by licensees protecting containments (drywells i n the case of BWRls) as v i t a l areas.

Since t h i s i s a l o g i c a l r e s u l t of the assumption, a change i n the assumption i s not considered necessary.

We agree that, as a practical matter, proltection o f campanents o f the1 There i s no c o n f l i c t with assumption #11 i n that sablotage i n a v i t a l area i s assumed t o be precluded.

Comment-m r i m a r y system bound,ary and, therefore, should be e x p l i c i t l y included for protection as v i t a l since steam generator tube ruptures may be i n d i r e c t l y caused by malfunctions i n non-safety related systems.

Stated t h a t the steam generator tube w a l l s are not considered 2 p a r t (RES, Page 12)

Response

primary system pressure boundary and protected as v i t a l.

The e n t i r e steam generator, including the tubes, are p a r t o f the NUREG-1178 F-1

Assumption 2 Comment:

Questioned whether the threshold of successful radiological sabotage m

e lowered t o meet 10 CFR P a r t 50.72 o r 10 CFR P a r t 20.403 c r i t e r i a instead of 10 CFR P a r t 100.

( R I V, Page 8, Item 3)

Response

p a r t i c u l a r l y since i t i s the same o f f s i t e dose threshold u t i l i z e d i n other accident evaluations.

The IO CFR Part 100 release threshold i s conservative dnd appropriate, Comment:

m i t i g a t i n g c a p a b i l i t i e s of the pressure vesse? and/or containment i s appropriate, and whether they should be given the same c r e d i t as they receive i n design basis accidents.

Questioned whether the r a t i o n a l e t h a t no c r e d i t f o r protective o r (RIV, Page 9, Item 4a.)

Res onse:

The standard for acceptable protection i s prevention o f a 10 CFR release. Credit i s given f o r anything within v i t a l areas providing such protection, including the reactor vessel.

Assumption 3 Comment:

-list o f equipment requiring protection.

Also proposed t h a t the words "continuously operable" be added t o the assumption, o r require two redundant t r a i n s o f v i t a l equipment since v i t a l equipment i n some plants (e.g.,

a u x i l i a r y feedwater pumps) may not be required t o be operable by technical specifications.

Further noted lack of an 8-hour diesel fuel o i l capacity, which i s a concern i f the diesel i s required t o be v i t a l.

Recommended t h a t c e r t a i n equipment be considered f o r addition t o the (RII, Pages 2 & 3 )

Res onse:

Assumption #7 covers the concern over the words "continuously operable" by requiring v i t a l i z a t i o n of a backup when any v i t a l component i s inoperable.

The need for protection of an 8-hour capacity of diesel fuel o i l w i l l be resolved on a case-by-case basis depending on the reliance placed on the diesel.

No additions have been made t o the l i s t o f equipment i the assumption

--e-7 as it on y provides examples of necessary equipment and i s not all-inclusive.

Comment-safety-related and thus not maintained operable.

a single t r a i n o f v i t a l equipment.

Stated t h a t some portions o f decay heat removal systems may not be Also questioned reliance on

( R I I I, Page 5, Item 3)

Response

are covered by the tech specs; therefore, t h e i r o p e r a b i l i t y status i s known and the systems are suitably maintained.

comment.

The decay heat removal systems t o be u t i l i z e d for sabotage protection Also refer t o the response t o the previous Comment:

Pointed out the need f o r additional f l e x i b i l i t y t o implement changes m

i t

a l

areas required by t h i s assumption based on differences i n plants.

( R I V, Page 9, Item 4b.)

Res onse:

The assumptions w i l l be applied on a case-by-case basis; therefore 7f-X-l-exi i i t y i s provided.

NUREG-1178 F-2

Comment:

and c i t e d examples o f concerns regarding implementation.

Suggested that t h i s assumption be made clearer and more definitive, (NMSS, Pages 14 81 15)

Res onse raise here w i l l be developed by the staff as p a r t o f the implementation plan f o r applying the revised v i t a l equipment assumptions.

selected by the licensees w i l l be reviewed against t h i s guidance on a case-by-case basis t o confirm that i t s a t i s f i e s the assumptions.

More d e f i n i t i v e guidance which addlresses the specifics i n the palints The v i t a l equipment Assumption 4 Comment:

Questioned why the lcontrol room and associated cable spreading rooms were not i d e n t i f i e d as v i t a l.

Suggested t h a t the one v i t a l operable t r a i n for removing decay heat be capable o f operation from the control room and not r e l y on local operation i n norma1l:y unmanned remote v i t a l areas.

Cited an example.

(RII, Page 3, I t e m 4)

Response

Assumptions #4 and #9 have been reworded t o address the f i r s t p a r t o f t h i s comment.

As p a r t of the decay heat removal c a p a b i l i t y f o r m i t i g a t i o n o f a sabotage-induced transient, each licensee must address the means provided for s t a r t i n g and c o n t r o l l i n g requiired pumps.

I n the example cited, the licensee must demonstrate t h a t a feasible and protected means o f s t a r t i n g the turbine-driven a u x i l i a r y feedwater (AFW) pump i s provided and can be accomplished i n accordance w i t h the revised assumptions.

This might mean t h a t the automatic s t a r t capabi 1 i t y o f the turbine-driven AFW pump w i l l require protection as v i t a l.

This issue w i l l be addressed on a case-by-case basis, Comment:

Suggested t h a t some examples o f locations from which v i t a l equipment controlled o r disabled be added t o the assumption.

(RV, Page 10)

Response

Assumption #4 has been reworded t o address t h i s comment.

Comment:

i n the assumption.

Suggested that the word "disabled" nnay be more correct than control led" (NMSS, Page 15)

Response

Assumption #4 has been reworded t o address t h i s comment.

Assumption 5 Comments:

with regard t o operating mode and equipment u n a v a i l a b i l i t y and t h a t assump-t i o n a5 does not take i n t o account m u l t i p l e maintenance outages on v i t a l equipment o r unique valve alignment.

other than the power mode be c:onsidered since sabotage during such conditions can cause a DBA o r 10 CFR Part; 100 release.

rates are required after shutdown than indicated i n the rationale.

Stated t h a t rationale i s misleading i n that, under certain conditions, s i g n i f i c a n t core damage can occur a long time alfter shutdown.

( R I V, Page 9, Item 5) Suggested t h a t assumption include "hot standby".

Stated that assumptions #5 and #7 appear t o contradict each other (RiII, Page 5, Items 1 & 4)

Suggested t h a t condntions Stated that much greater flow (RES, Page 12)

Response

Revised wording o f the rationale responds t o the above comments.

NUREG-1178 F-3

Assumption 7 Comments:

considered with a sabotage event.

Recommended t h a t redundant t r a i n s be protected as v i t a l i n order t o avoid reliance on appropriate compensa-t o r y measures when vita7 equipment i s unavailable.

( R I I I, Page 5, Item 5)

Requested t h a t the terms "appropriate compensatory measures,"

radiological sabotaqe" and "single f a i l u r e c r i t e r i a " be further defined.

( R I V, Page 9, Item 65 noted that not a l l Class I X accidents a r e o f low likelihood.

Stated that, based on experience, concurrent random failures should be

( R I I, Page 4)

Questioned the assumption as not considering undetected f a i l u r e s and (RES, Page 12)

Response

t e c t i o n of single t r a i n, given t h a t 100% r e l i a b i l i t y o f the protected train, i f c a l l e d upon i n a casualty situation, cannot be assured.

The Committee's view i s t h a t the recommended approach i s consistent w i t h NRC p o l i c y concerning the I

o p e r a b i l i t y o f important equipment.

are predicated upon the assumption t h a t any one t r a i n o f equipment needed f o r safe shutdown w i l l be available following a postulated f i r e.

Conditions for Operation (LCOs) allow continued operation f o r varying periods of time even though normally available redundant equipment i s temporarily not available.

protected t r a i n cannot be assured, the recommended approach i s consistent w i t h established policy.

Review Group during a status meeting p r i o r t o completion o f the Committee Report.

These comments questioned the a d v i s a b i l i t y o f allowing f o r the pro-For example, f i r e protection requirements S i m i l a r y, Limiting While i t i s acknowledged that absolute r e l i a b i l i t y o f the single T h i s matter was discussed with the Management Policy Suitable f l e x i b i l i t y i n required protection f o r one t r a i n should be permitted on a case-by-case basis.

redundant t r a i n s.

how protection f o r a secondary t r a i n w i l l be achieved when the primary v i t a l equipment i s unavailable.

I n practice, some plants may find i t easier t o protect However, it should be up t o the individual p l a n t t o determine Assumption 9 Comments:

v i t a l area.

v a l i d since IEEE Standards recommend cable i d e n t i f i c a t i o n.

Recommended t h a t the cable spreading room be protected as a separate

( R I I I, Page 6, Item 6)

Stated t h a t the assumption may not be (RES, Page 12)

Response

Assumption #9 has been reworded t o address these comments.

Assumption 10 Comment-TRfS,-Page

12)

Recommended t h a t a design basis amount of explosives be specified.

Response

insensitive t o the specific amount of explosives t h a t individuals can carry i n l i g h t o f Assumption 11, which states t h a t no c r e d i t i s given f o r any equipment not located i n v i t a l areas.

which equipment needs t o be designated v i t a l does not require the analyst t o consider s p e c i f i c a l l y how much explosives can be used by the adversary.

D e t e d n a t i o n of which equipment needs t o be designated v i t a l i s Implementation of the assumption t o determine NUREG-1178 F-4

The goal was t o bound the problem by characterizing an amount that could be carried, consistent w.ith the design basis threat, without requiring a vehicle.

Assumption 12 Comment:

f r o m the spent fuel pool be provided based on storage o f other highly radio-active components/equipment i n the pool.

Requested t h a t a more specific d e f i n i t i o n o f a 10 CFR Part 100 threat

( R I I I, Page 5, Item 2)

Response

Other than spent fuel, the VAC can i d e n t i f y no other components/

equipment stored i n the spent fuel pool which, when damaged, would cause a 10 CFR Part 100 release as defined for radiolog.ica1 sabotage.

Comment:

the spent fuel pool must be prot:ected as v i t a l.

Noted that safeguards s t a f f might not be able t o determine how long (RV, Palge 10)

Res onse:

The determination o f required duration can be calculated on a case-

+

y-case basis by the appropriate! p l a n t staff.

Comment:

s t a r t o f a refueling outage" and by noting i n the rationale t h a t average environ-mental conditions can be assumed f o r the o f f s i t e dose calculations.

Recommended t h a t the assumption be c l a r i f i e d by adding following the (NMSS, Page 15)

Response

The assumption has been reworded as suggested.

The Committee considered the suggested change i n the rationale! t o invollve an unnecessary level of d e t a i l.

General Comments Comment:

tection o f c e r t a i n portions o f the e l e c t r i c a l power supplies and control and instrumentation f o r the one t r a i n o f v i t a l equipment.

(ELI, Page 1)

Recommended t h a t the protection philosophy ment:ion the need for pro-Res onse The proposed addition was made t o the v i t a l equipment/area protection

+

p i osophy and analysis assumptions.

Comment:

V e c t i o n philosophy.

( R I V, Page 8, Item l a ) Suggested an additional section t h a t addresses HTGR f a c i l i t i e s.

Suggested t h a t additional f l e x i b i l i t y may be required f o r implementing (RIV, Page 8, 1t.em lb.)

Res onse:

Part a.

mig t e required; no changes are necessary.

Part b.

w i l l be treated separately and that t h i s report considers LWRs only.

The report provides f o r any implementation f l e x i b i l i t y t h a t The report h8as been revised t o state t h a t HTGR f a c i l i t i e s

--Rs Comment:

trains, p a r t i c u l a r l y i f the statius o f one t r a i n i s unknown.

Item 2a.)

Requested t h a t the revised report be provided for comments again.

Requested a b e t t e r d e f i n i t j o n o f "a s e t o f important safety-related components".

(Item ?e.)

Suggested a c l a r i f i c a t i o n with regard t o protectign o f one o r both (RTV, Page 8, Requested a b e t t e r d e f i n i t i o n o f a v i t a l areii.

(Item 2c.)

(Item 2 d.)

NUREG-1178 F-5

Response

be protected as v i t a l.

Assumption #7 has been reworded t o address compensatory measures t o assure t h a t one t r a i n i s always available as necessary.

Item 2a.

Assumption #3 does state t h a t one train o f equipment w i l l Item 2c.

This i s defined i n 10 CFR 73.2(1)(h).

Item 2d.

The VAC has solicited, received and addressed comments on i t s d r a f t report i n accordance with the EDO's d i r e c t i v e o f May 1, 1985.

Any f u r t h e r review o f the report would be a t the discretion o f the EDO.

Item 2e.

For c l a r i f i c a t i o n, additional safety-related components have been added t o the assumptions as appropriate.

Comment:

t h e g n basis envelope, and therefore, lead t o Class I X events.

Certain assumptjons r e s u l t i n v u l n e r a b i l i t i e s comparable t o those i n (RES, Page 11)

Response

Comment.

m r

feed-and-bleed i n s i te-speci f i c cases.

Assumption #7 has been reworded t o address t h i s comment.

Requested that the report indicate whether or not c r e d i t could be (NMSS, Page 15)

Res onse:

The implementation plan t o be developed by the s t a f f w i l l indicate t a t cre i t can be taken for any means o f decay heat removal (including feed-and-bleed) for mi t i g a t i o n of a sabotage-induced transient provided t h a t (1) a l l necessary equipment for t h a t means i s protected as vi'tal, and (2) an acceptable analysis demonstrating the adequacy o f the proposed method i n accordance w i t h the revised assumptions i s provided.

This issue w i l l be reviewed on a case-by-case basis.

Comment:

-t protected trains.

Stated that further measures are needed t o assure the equivalence of (IE, Page 17)

Res onse: +

t o t e comments on Assumption #7 also applies t o t h i s comment.

Assumption 87 has been reworded t o address t h i s comment.

The response NUREG-1178 F-6

APPENDIX TO APPENDIX F' NUREG-1178

UNITED STATES NIUCCEAR REGULATORY CONlMlSSlON REGION I 631 PARK AVENUE KING OF PAUSSIA, PiNNSYLYANIPi 19406 NOV 1 9 =

MEMORANDUM FOR:

FROM :

Thomas E. Murley Frank J. Miraglia, Chainnan V i t a l Area C o d t t e e Regional Administrator, RI SUB 3 ECT :

VITAL EQUIPMENT/AREA GUIDELINES STUDY -

VITAL AREA COMMITTEE DRAFT REPORT Your memorandum o f October 21, 1985, requested review o f the subject report.

We have completed our review and o f f e r the following comnents f o r your considerat i o n We believe t h a t the three premises which formed the basis f o r the protection philosophy are sound and t h a t the objective o f the study t o develop a consistent, logical approach t o i d e n t i f y v i t a l equipment/areas f o r subsequent protection has been achieved.

asstnnptions appear t o be well founded and support the v i t a l equfpment/area protection philosophy which i s espoused.

We note, however, t h a t the statement o f the philosophy f a i l s t o mention the need f o r protecting as v i t a l, certain portions o f e l e c t r i c a l power supplies and control arid tnstrumentation for t h e one t r a i n o f equipment t h a t w i l l provide the capability t o achieve and maintain hot shutdown.

Finally, w i t h regard t o the conclusion concerning the impact o f implementation on licensed plants, it i s aiur view t h a t these guidelines would be welcomed by licensees, since I t should provide most licensees with the option o f reducing the current number o f v i t a l areas.

Thank you f o r the opportunity t o review the d r a f t report.

We found t h a t It further, the revised set o f analysis mated the i s u e s very well and we support the Cornlittee's efforts.

Thomas E. Murley Regional Admii n i i t r a t o r cc:

V. Stello, ED0 R. Burnett, SG F. Gillespie, ORA0

3. Partlow, DQASIP ti. Oenton, NRR

3. Davis, NMSS

3. Taylor, IE R. Hlnogue, RES Regional Administrators, R l I, R I I I RIV, RV NUREG-1178

U t i i l t U ST I NUCLEAR REGULATORY COtttMISSIOtd REGION It 101 MARIETTA STREET, N.W.

ATLANTA. GEORGIA 30323 NOV 2 0 1985 MEMORANDUM FOR: Frank J. Miraglia, Chairman Vi tal Area Committee FROM :

J. Philip Stohr, Ofrector Division o f Radlatlon Safety and Safeguards SUBJECT :

VITAL EQUIPMENT/AREA GUIDELINES STUDY VITAL AREA COMMITTEE DRAR REPORT

(

REFERENCE:

FRANK 3. MIRAGLIA MEMORANDUM, DATED OCTOBER 21, 1985)

The Region I1 staff has reviewed the reference memorandum In Its entirety, while puttAg special emphasis on Section V1.A as requested. The followfng staff commsnts are provided as they relate to the proposed vital equipment/area protection philosophy and analysis assumptions:

1.

2.

3.

Executive Summary We concur with the philosophy o f the Vital Area Committee (VAC) to protect as vital the reactor coolant pressure boundary and one train of equipment with associated piping and water sources that provide the capabillty to achieve and mafntain hot shutdown, whfch would be provided on a case-by-case for each plant.

Assumpt;om 1 This appears to requfre, as a practical matter, tbat the containment building, or drywell i n a BWR, be vital, which appears necessary. We suggest that a definitive statement be made to that effect. Additionally, there seems to be a conflict between this assumption and qssumption U.11 which allows the saboteur multl-actions on all vital equipment In a single area.

Assumption #1, on the other hand, protects a single piece of equipment and, contrary t o the attributes o f the design threat ( use of explosives, para-military training, etc.) precludes the "insider" from causing a LOCA.

Assumption 3 We concur with the assumption and rationale. However, under the typical list of equlpment the following additions should be considered:

(1) Reactivl ty control - Boratl on capabi 1 i ty, i ncl udi ng mntrol and boration source.

(2)

Oecay heat removal - Power operated relief valves (Steam &nerator/PWR).

Suppression pool cool ing (RHR suppresti on pool cool lng moda/BWR).

CONTACT :

K. P. Barr FTS 242-5612 NUREG-1178

Frank J. Miraglia 2

NOV 20 8%

(3)

Process instrumentation - Source range f l u x Instrumentation.

Level instrumentation f o r a l l tanks used.

(4)

Reactor coolant makeup (PWR) - Charging pumps o r )b/gg;.$ressure Injection pumps (pressurizer power operated r' i e f udlves may be required t o reduce pressure t o allow use o f h h pres&

i n j e c t i o n pumps)

(5)

Reactor coolant s,ystem pressure control - Charging pumps or pressurizer heaters (PWR).

Safety r e l i e f walves or depressurization system valves (BWR).

(6)

Support functions -' Diesel generator (PWR itnd BWR), fuel supply and tank.

Additionally, with respect t o assumotion 13, Region I1 proposes the words t a n t i n u o u s l y operable be used 'or else require two redundant trains.

Some

~. the equipment consideted v i t a l and used t o hold i n hot shutdown i s not reGuired by Technical Specifications t o be opei-able a t a l l times during f u l l power operation.

An example i s a u x i l i a r y fe!ed pumps.

I f only one o f three i n s t a l l e d a u x i l i a r y feed pumps becomes irioperable, t y p i c a l l y power operation may continue. I f t h a t pump i s the designated v i t a l pump, sabotage protection i s gone.

One could put out special action statements on v i t a ?

equipnent but a b e t t e r solution i s t o simply require one t r a i n t o be continuously operable.

'The 1 Icensee would then probably make a1 1 redundant equipment i n the opposite t r a i n v i t a l.

I n any case we must ensure t h a t a t l e a s t a single operable t r a i n i s available.

One problem t h a t many plants have i s they do not have n 8-hour capacfty o f diesel fuel-oil i n the day tank i n a v i t a l areal.

This should be c l e a r l y required under support functions.

4.

Assumption 4 Why not include control room and --

associated --

cable spreadinq rooms? Some licensees have the control room only v i t a l but a single a c t o f sabotage i n the cable spread area can render the main control room b l i n d and useless'.

Therefore, the cable spread rooms -

must be v i t a l also.

Possibly, t h i s i s -

covered under assumption 10, but we shouild be move specific.

As a related comment, the one v i t a l operable t r r l n f o r removing decay heat should be capable of opetation from the control 'room without an individual present i n the normally unmanned remote v l t a l area.

As an example, some licensees now take c r e d i t f o r l o c a l manual operation o f a turbine driven a u x i l i a r y feed pump.

However, i n the midst of a serious securlty intrusion, It i s not clear t h a t a member o f the p l a n t s t a f f can get t o $he pump t o operate it locally. Therefore, the equipment should be oper&Je from the control room.

NUREG-1178

Frank J. M i r a g l i a 3

FIOV 20 885

5.

Assumption 7 We cannot ignore previous experlence t h a t random f a i l u r e s do occur simultaneously with the re1 iance upon safety r e l a t e d equipme&+

The recent random f a i l u r e s o f under voltage reactor t r i p assemblies

b. C. Cook h i g h l i g h t the random f a i l u r e s during operational emergencies.

L(e believe t h a t the same random f a i l u r e p o s s i b i l i t y e x i t s whether o r not a sabotage event occurs.

While the above comments have been the r e s u l t o f Safeguards, Reactor Projects and Reactor Safety personnel, Ken Barr o f my Safeguards s t a f f i s the Region If p o i n t of contact f o r t h i s e f f o r t.

NUREG-1178

' * * *

4 UNITED STATES NUCLEAR REGULATORY COMMISSION REGION Ill 799 ROOSEVELT UOAD GLEN ELLVN, ILLINOIS 601 37 NOV t 5 1985 MEMORANDUM FOR:

Frank 3. Miraglia, Chairman, V i t a l Area Committeg FROM:

Jack A. Hlnd, Dlrector, Ofvisfon o f Radiation Safety and Safeguards, Region I11 SUBJECT :

VITAL EQUIPMENT/AREA GUIDELINES STUDY - VITAE AREA COMMITTEE DRAFT' REPORT As requested i n your October 21, 1985 memorandum, we have reviewed the document on the above subject and have the following comments:

Page 111 t l v - AcsumDt*lons 5 and cdntradict each other.

operation should be considered while assumption 7 indicates t h a t the unavai 1 ab1 1 i ty o f equipment may be exploited by the adversary.

- These two assumptions appear t o Assumption 3 states t h a t only the power mode o f Page l v - Aqsum~tion_l? - Many f a c i l i t i e s store other highly radioactive components/equiparrIr i n the spent f u e l pool which continuously poses a 10 CFR P a r t 100 threat t o the public health and safety.

A more speclfic d e f l n i t l o n o f what constitutes a 10 CFR Part 100 threat from the spent f u e l pool should be Included as p a r t o f the repott.

Page 17 = A.SwnDtiO93-Some portions o f the decay heat removal systems may not be *ai ety-re ~acecl equipment.

The dependence on nonsafety-related equipment, which may not. be adequately maintained, as the single t r a i n t o maintain hot shutdowri appears t o provide a lesser degree o f protection than i f both t r a i n s were! protected as v'ltal.

Page 19 - E-ssumotlon 5

-1 The rationale, although logical, does not take Into accounr muEij3Z Ghtenance outages on vltrrl equlpment and/or urnf que valve alignments during maintenancehefueling outages t h a t could be exploited t o cause the reactor t o drain i n other than operation modes.

Page 21 - Assumption-I--# What w l l l be "appropriate compensatory measures" t o assure iG?XEu7i.J o f the hot shutdown capablllty? The description o f compensatory measures used, on t h i s assumption, appears t o l o g i c a l l y indicate that when the "primary t r a i n " lis disconnected or taken out o f service the "secondary t r a i n " then becomes llvitaH.I' We believe t h a t t h i s "float1ngn v i t a l area colncept could lead t o an unacceptable level o f r i s k NUREG-1178

Frank J. Miraglia 2

NO" 15 1985 of system failure. Consequently, we recornend t h a t the "seccmdary" system should continue t o be protected as vital.

6.

Page 23 - b.csumDtion 9 - t h e cable spreading room presents a sabotage threat because "all" cables are located i n this room and a "slmgle" action could remove the entire control capability from the control room w i t h o u t the need t o enter the control room a t all. This room should be protected as a separate vital area.

Should you or your staff desire to discuss these comnents, please contact

0. A. Kers a t FTS 388-5766 or 3. R. Creed a t FTS 388-5643.

Mivislon o f Radiation Safety and Safeguards cc:

H. R. Denton, NRR

3. 6. Davis, NMSS

3. M. Taylor, IE A. 8. Mlnogue, RES

f. E. Murley, RI

3. N. Grace, RII R. D. Martin, RIV J. B. Martin, RV NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMlSSllON REGION N c1'1 RYAN P W A DRIVt. SUITE Moo ARUNGTON. TEXAS %Oil MEMORANDUM FOR:

Frank (3. Miraglia, Chairman Vital Area C o d t t e e FROM:

Robert D. Martin, Regional Administrator, RIV

SUBJECT:

VITAL EQUHPMENT/AREA GUIDELINES STUDY - VITAL AREA COlFPiI77EE DRAFT REPORT This i s i n response t o youv subject memorandum dated October 21, 1985.

Members of my staff have reviewed the Draft Report and their comnents are attached for your consideration.

We appreciate the opportunfty to comnent on t h i s important matter. Should you have any questions regarding our conments, please contact either Doyle Hunnicutt, nS 728-8137, or Larry Yandell, FTS 728-8108.

Robert 0. Martin Reg i ona 1 Adrn f n i s t ra to r cc:

H. R. Denton, )IBR J. 6. Davis, NMSS

3. M. Taylor, IE R. 6. Hinoque, RES K. E. Murley, RI

3. N. Grace, RIX

3. 6. Keppler, RIII

3. B. Martln, RV NUREG-1178

ATT'ACHMENT COMMENTS ON VITAL EQUIPCIENT/AREA GUIDELINES STUDY VITAL AREA COMMITTEE DRAFT REPORT

1.

Section V I.

Study Results, entire section - General Comneri2s

a.

Additional flexibility may be required to implement changes-that may occur or t h a t may have significant impact on some utilities or one category o f power plants (examples: NSSS for BWR vs. NSSS for 88W PWR).

b.

This draft appears to address only l i g h t water cooled nuclear power plants.

Should there be an additional section or paragraph that would address HTGR facilities? Should there be provisions for custom reviews of certain plants or plants under certain circumstances (examples: very poor performance histories, accidents and/or incidents that could easi ly have affected the health and safety of the public, andlor problems identified by the licensee or NRC)?

2.

Section VI.

Study Results, page 12.

a.

Should clarify whether both trains or, as a minimum, one train must be available. Specify how to assure one train i s available, if the other train status i s unknown or not verified.

b.

The assumptions and the ratfonale for these assumptions appear t o be comprehensive and logically presented.

c.

An improved definition o f what constitutes a "vital area" is needed.

d.

The reuised edition o f this draft should be presented for comnents a t the earliest date possible.

I t is assumed that the draft report will receive the standard publication and time limits as similar publications (NRC Comnission, utilitfes, general public and other interested parties).

e.

The philosophy o f a set o f Important safety-related components should be more precisely defined.

3.

Section VI. Study Results, page 14.

a.

Should the threshotd of successful radiological sabotage be lowered t o meet 10 CFR Part 50.72 or 10 CFR Part 20.403, tnstead o f 10 CFR Part 1001 NUREG-1178

Attachment (Continued)

4.

Section V I. Study Results, page 16

a.

capabi 1 i ties of the pressure vessel and/or containment consf.d&red w r g L a t e ? S h o u l d this rationale permit same allowance Is the rationale t h a t no credit f o r protextive o r mitigathg DB o r other acceptaible standard?

b.

Assumption 3 - same comnent as 1.a. above.

5.

Section VI. Study Rerults, -

page 19.

a. Other plant conditions can cause DBA and/or 10 CFR Part 100.

The 'vital areas" StlJdy should incorporate other postulated conditions.

b.

The time period when large (several thousand gallons of water per minute) are requtred is not inclluded a s a significant item.

The second paragraph o f the RATIONALE could mislead some public reviewers w i t h t h e indication t h a t only it small quantity (less than 100 gpm) of water is required a f t e r about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months shutdown

time,

c.

The statement a t the end of the second paragraph, "There is h very limited time span during which any significant damage can be caused" is not appropriate and is ve'ry mislealding.

Significant damage can be caused f o r a long time (greater than a month) under specified conditions,,

6.

Section V I, Study Results, -

Page 21

a.

The tern "appropriate compensatory measures are requf red" should be further defined.

b.

The rationale does not address fully the !sabotage issue.

The term "successful radlological sabotage" shoul4d be defined.

A "successful radiologfcal sabotage" could easi ly be panic caused by a small (Less than limits stated i n 10 CFR Part 20) release with media and rumor inputs t o the general pulblic.

c. The rationale of "single failure criteriaIM should be further defined and covered In this document..

NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMISSION REGION V 1450 MARIA CANE, SUITE 110 WACNUT CREEK. CALIFORNIA 91696 HMORANDUM FOR: Prank Niraglia, Chairman, V i t a l Area Committee FROM:

0. P. Mrsch, Deputy Director Division of Reactor Safety and Projects

SUBJECT:

VITAL EQUIPMENT/AREA GUIDELINES -

VITAL AREA COHMlTTEE DRAFT REPORT Ths subject draft report, forwarded t o Region V under cover memo, dated October 21, 1985, has been reviewed.

theo-%ost ve have read.

comprehensive and consistent ret of recownended assumptions.

I f th intent lr f o r the safeguards 8taff t o use the proposed v i t a l equipment/

area protection philosophy rad analyris assumptions without react r safety r t a f f holding their hands, then the folloving connaents are in order:

Overall we find the study better It appears that the committee has devel ped a Assumption 4 :

Some examples would be helpful, e.&, remote shutdown panel, HCC, c i r c u i t brenkers and local control rtation~s.

hssumption 12:

It is clear t o the reactor rtaff hov t o determine "long enough", but the rafeguards rtaff have no Idea of how t o make that determination.

Should you have any questlonr, contact T. Toung or D. Schurter at FTS 463-3853 or 463-3780 respectively.

Dlvlsf n f B actor Safety and Projects cc:

D. Schurter NUREG-1178

UNITED STATES NUCL.EAR REGULATORY COMMISSION WASHINGTON, 0. C. 20555 IIEHORANDUM FOR:

Robert B. Minogue, Director Office of Nuclear Regulatory Research FROM:

Demetrios 1. Basdekas Electrical Engineering, Snstrumentation i Control Branch Division o f Engineering Technology, RES VITAL E UIQHENT/AREA GUIDELINES STUDY DRAFT REPORT P RES-8s-1933)

SUB JECT :

Bi71 Horris asked me t o review the subject draft report and provide you with my comnents with focus-on Section V1.A.Proposed Vita7 Equipment/Ana Protec-tion Philosophy and Analysis Assumptions.'

1 have 'reviewed the report and qy comncnts am:

There am some good, prudent conservatism containeld i n several proposed assumptions and they r r f l e c t the understandable conlcern.about the Issue of sabotage.

A few assumptions, however, leawe potential 'windows of vulnerability' which, by and large, correspond t o tlhe imperfections of the design basis envetope, that may be responsible #for Class 1% events.

primary concern on the frsue of sabotage has been related to (1) an insider with knowledge of how the plant works and access t o relevant engi-neering drawings and records and (2) the accessfbil i t y and design/operational characteristi s o f 'control systems not required for safety',

which nonethe-less may have-important safety Implications constdering the fact that, as a rule, have no redundancy or dtverstty and other destrable characteristics associated with safety grade systems.

As an examplle, our review of the Oconee-1 control systems+ has determined that certain failures I n the Inte-grated Control System (ICs) 'hand power' cllrcuitry n s u l t I n a Core d t

unless the operator correctly diagnoses the problem and takes corrective actions withtn 30 minutes.

Considerlng the fact that the attention of the operator during such 8 sequence would be heavily taxed by a number of distractions, the chances o f ncovery may not be acceptable.

If I knowledgeable 'insiderm further degrades the Information rvaitab'lc I n the control mom, he my be successful I n a sabotage attempt.

I do not know if the ICS 'hand power' circuitry i s located within a v i t a l area or not.

If it Is, then the concern 4s taken care of by the proposed assumptfons; lf t t I s not, then it appears that we may have a safeguards problem i n plants with such a design.

This I s j u s t one example I wanted t o use as an Illustration of the problem.

Me should not assume that It i s the only one.

'+ N U

R

~

- 4047, Section 32.3.1 "1 oss of 1 6 ti and Power..

NUREG-1178

0 0

Assumptfon 1 The steam generator tube w a l l s are net ttmIdered,to be part of the primary system boundary.

This should be reconsidered i n vfcwof the fact that steam generator tube ruptures may be Indirectly caused &

malfunctions i n not safety related systems.

Assumption 5 It may be prudent t o consider Including.hot standby."

Assumption 7 Thew may be a weakness i n this assumption i n that it does not consider undetected faflures.

Furthemre, the statement contained i n the firs.

sentence under "Rationale" p. 21 i s j o t universally true.

Not a l l Class I X accidents are necessarily o f low likelihood.

Assumption 9 This assumption i s based i n part, on the conclusion that "It i s not possible t o identlfy Individual cables in cable trays.'

& understanding of our own identification mquirementt along with recomnended industr Indicate that this concluston may not &e correct, particularly for newer plants.

practice, as roctntly codified i n IEEE Stds 804/1983 and 805/1984 YOU T d Assumptioai IO It i s stated as part of thls assumption that T h e amount of explosives i s assumed t o be what adversaries can carry."

This i s too vague and a "deslgn basis amount" could be spccfficd.

I am well aware of the technical and policy related canplexitfcs of thfs issue and I belleve that the Vital Area Comntttee perConned a gallant attempt t o address them.

'Then 1s some room for Important details t o be rddnssed and I wish I had mom time t o delve i n t o them with focus on the safeguards implications of control systems because of t h e i r obvious potential t o affect the safety vector of the plant.

Finally, i n reiterating 9 h i t g a l part of Section XI, Objectives, 9.3, embodies the primry weakness of some o f the proposed assumptions; namely, that it restrtcts t h e i r scope t o "the design basis analysis of nuclear vulnerabilityeD discussion, Criterion 1 o f wet plants..

h d we know that the dgsign basis envelope has been repeated p" y shown t o have significant.windows. of NUREG-1178

One of my long rtandlng ncomndations has been to axamhe the sabotage aspects of control systems desi n, Installation ml maintenance. I hope sometime soon our nsource avai P ability wtll allow us t o do that.

If 1 can help any further, let me know.

Ocmetrios L. Bardekar El ectrica 1 Ehgineering Instrumentation and Control1 Branch Division of Engineering Technology, RES NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, 0. C. 20555 MEMORANDUM FOR:

Frank 3. Miraglia, Chairman Vital Area Cmittee FRW :

Robert F. Burnett, Director Division of Safeguards, NMSS

SUBJECT:

VITAL RREA COPVfITTEE DRAFT REPORT The following comnents from rqy technical staff are submttted i n response t o your memorandum of October 21, 1985:

O It would be helpful if the Committee could make-4ssumotion 3 clearer and more definitive, either i n the assumpt'lon 1 tsel f or i n its supporting rationale.

The rationale for Assumptions 3 and 4 i n the October 1, 1985, memorandum from the Vital Area Cmi ttee (VAC) to the Management Pol icy Review Group (MPRG) antlcipated t h a t 1 jcensees' analyses and demonstrations i n response to the Station Blackout (US1 A-44) proposal would be available t o aid i n determination of what additional major components and associated support functions were necessary.

Also, the VAC had discussed reasons why extensive service water piping would not need to be vital, but the draft rationale lacks guidance on this.

default positfons be developed, and added to either the rationale o r the assumptions, to provde guidance on the need fir Reactor Coolant Pump (RCP) seal cooling and for support functions such as Heating, Ventilation and Air Conditioning (HVAC), service water piping, diesel generator fuel suppl ies, and DC battery duration. Whether conservative Final Safety Analysis Report (FSAR) analyses or best-estimate analyses are preferred for vital area decisions should also be addressed. The following are some examples the Cmittee may w l sh to consider:

I t is suggested that some O Absent licensee analyses, restoration of RCP seal cooling within four hours of ?actor t r i p w i l l be assumed to be necessary to achieve the goal of Assumption 3.

Absent best-estimate analyses t o the contrary, HVAC systems need not be protected as vital.

NUREG-1178 O Absent analyses t o the contrary, diesel generator cooling w i l l be assumed essentilal for diesel gmeratot operation.

O Pages 9 and 10 state that the study scope included crFdit for plant-specific features such as feed-and-'.eed.

k;;

wuld be helpful if the report indicated whetirer or nof credit could be given for feed-and-bleed i n site-specific cases where the 1 icensee has submitted an acceptabl e analysis t h a t shows that it can be used to safely mitigate sabotage-induced transients.

O The period o f time that the fuel paol needs to be vital and the degree o f conservatism to be used iin calculation of that time period could be clarified by Chan!Jfng-kSlJIIIDtiOn 17 t o read 'following the start of a refueling outage" and by noting i n the rationale that, i n keeping with Assumption 7, average environmental conditions can be assumed for these calculations.

coincide with extreme environmentall conditions.)

(It is not likely for sabotage to be timed to O

In the list of equipnent i n the 4c*:mntinn :3 rationale,

'auto start' and "condensate storage tank" ((CST) should be deleted. Manual start can be acceptable and the CST is not always a vital water source.

In -AssUmotinn_d, the use of the word "disabled" may be more correct than "control led."

If the 1ociWon can be used to prevent licensee control o f the equ-ipr n t, that location need not be protected as vital. In sme plants it would suffice to protect the 1oc:ation of the switch that transfers control from the control room to the remote shutdown panel.

(The control roan w i l l r of course, be vital either way the assumption i s written.)

O O

We recognize that the staff w i l l have to develop an additional layer o f guidance and acceptance cri teria b implement the assumptions. Accordingly, they would appreciate any suggestions the Committee might have concerning their prel iminary ideas as reflected i n the fol 1 owing :

O The VAC intended "reactivity control function' i n

&sun]otinn 3 to equate only to reactor tirip and to not mandate-inclusion of other reactivit,y controls (such as safety injection through boron in jectiorr tanks).

NUREG-1178 O

In Assumotion 9..areas through which large numbers af

?'cables pass" means only areas that are cable vaults or cable spreading areas for safety-related cables and does not require other areas i n which redundant trains of safety-related cables may be located to necessarily be vital.

O Recamnendatton 1.c of the Safety/Safeguards Committee Report, NUREG-0992, i s superceded by the new assumptions.

O Assumotion 5 does not mean all vital equipment can be devitarrzed w r i n g cold shutdown.

O Other than as necessary to protect the primary coolant pressure boundary and one train of equipnent for hot shutdown, no equipment within containments must be protected as vital (for example, equipnent w i t h t n the secondary containments for BWR's).

Robert F. Burnett, Director Division of Safeguards, M S S NUREG-1178

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON. 0. C. 20555 DEC 0 5 I885 MEMORANDUM FOR:

Frank 3. Miraglia, Chairman Vital Area Committee FROM:

James M. Taylor, Director Office o f Inspection and Enforcement

SUBJECT:

VITAL EQUIPMENT/AREA GUIDELINES STUDY-VITAL AREA COMMITTEE DRAFT REPORT This I s i n response t o your memorandum o f October 121, 1985 which requested comnents/concurrence on the subject draft report.

We have reviewed the draft report and agree with the overall philosophy t o protect as vital the reactor coolant pressure boundary and one t r a i n of equipment t o assure achieving and maintaining hot shutdown.

However, i n view o f our experience with the performance of safety systems when called upon i n 41 casualty situation, we believe that further measures are needed t o assure the equivalence o f redundant protected trains.

This is particularly iimportant since one of the assumptions upon which this philosophy is based is t h a t random failures are assumed not to occur simultaneously w i t h a,n act of radiological sabotage.

Contact:

R.

Singh, IE

(~24149) cc:

V. Stello, ED0 H. R. Denton, NRR

3. 6. Davis, NMSS R. 6. Minoguc, RES T. E. Murley, RI

3. N. Grace, RII J. 6. Keppler, RIII R. D. Martin, R I V

3. 8. Martin, RV R. F. Burnett, NMSS f. P. Gillespie, RES

3. 6. Partlou, IE NU REG-1178

APPENDIX G" IMPLEMENTATION CONSIDERATIONS FOR KtEVISED V I T A L EQUI PMENT/AREA GUI DEL1NE:S "Designated "Enclosure 3 i n March 5, 1986 inemoranduin transmitting Vi tal Area Committee Final Report.

NUREG-1178

Implementation Considerations For Revised V i t a l Equipment/Area Guidel ines The Committee considered various methods f o r implementing i t s findings, including rulemaking, Safety Evaluation Report (SER) s t a f f positions, and follow-up staff reviews.

The Commi t t e e ' s conclusions and recommendations with respect these options are discussed below:

Rulemakinq No change i n the rules i s necessary t o implement the assumptions beclause the definition o f v i t a l equipment now contained i n 10 CFR 73.2(i) i s broad enough t o include the equipment t h a t may be designated as v i t a l under the Committee's assumptions.

The very broad terms o f the d e f i n i t i o n a1 low essentially any safety-related equipment (or systems t o be designated as v i t a l.

d e f i n i t i o n and protection o f v i t a l equipment based upon them would s a t i s f y the standards o f 10 CFR: 73.55 and be acceptable.

The Committee's assumptions f a l l w i t l h i n the scope of the current SER S t a f f Positions I n the i n i t i a l implementation of 10 CFR 73.55, applicants' and licensees' designations of v i t a l equipment and v i t a l areas were accepted i n order t o assure t h a t functional security systems were i n place promptly a t operating reactors.

However, the licensees and applicants were advised t h a t the NRC staff intended t o conduct a subsequent evaluation and analysis o f those designations.

Almost without exception, the SERs prepared i n conjunction w i t h i n i t i a l security plan reviews contain language designed t o place the licensee o r applicant on notice t h a t s t a f f acceptance o f the i n i t i a l v i t a l equipment and v i t a l area designations was conditional.

I n the i n t e r i m between the i n i t i a l security plan reviews and the independent s t a f f v i t a l equipment and v i t a l area evaluations f a r individual power plants, Review Guideline 17 (issued i n January 1978) has been r e l i e d upon by the s t a f f for approving security plans.

Review Guidel ine 17 r e f l e c t s a prudently conservative approach t o security plan reviews warranted by the absence of more precise guidance.

being used as s t a f f uidance f o r security plan reviews, Los Alamos National Laboratory 9 LANL) was tasked t o conduct v i t a l area studies which related d i r e c t l y t o longer-range implementation strategy and are consistent w i t h the s t a f f ' s o r i g i n a l position and intentions as expressed i n the SERs.

A t the same time t h a t Review Guideline 17 was Follow-Up S t a f f ' Confirmatory Reviews As stated above, the NRC s t a f f, through statements contained i n the SERs, had advised licensees t h a t it would conduct fol'low-up confirmatory v i t a l area analyses a t future dates.

With contractor assistance from LANL, NRC compiled sabotage f a u l t t r e e analyses t o provide a technical basis f o r i d e n t i f y i n g the v i t a l equipment (and areas) i n each operating plant.

What remains t o be done i s f i n a l verifilcation of v i t a l equipment locations and safeguards a c t u a l l y i n place t o determine what revisions, i f any, are needed i n each licensee's protection plans.

Thais can be done effectively and e f f i c i e n t l y i n conjunction with the ongoing Regulatory Effectiveness Review (RER) Program.

These reviews are currently scheduled a t the r a t e NUREG-1178 G-1

o f 18 reactor u n i t s per year through e a r l y 1999, structured t o assure t h a t plants whose i n i t i a l v i t a l area analyses occurrred early i n the implementation phase o f 10 CFR 73.55 are considered early i n the RER f o l 1 ow-up conf i ma ti ons.

The schedule could be The Committee considered the p o s s i b i l i t y o f establishing a special s t a f f c a p a b i l i t y i n the Division o f Safeguards t o conduct v i t a l area confirma-t o r y reviews on an accelerated schedule.

trained technical s t a f f personnel, plus supervision and secretarial support, are required t o perform 18 v i t a l area validation reviews per year.

This i s the present capability.

Any appreciable acceleration o f the schedule would require a sizeable increase i n s t a f f.

that plants whose physical security plans were approved a f t e r 1979 generally satisfy the revised assumptions, the Committee does not believe that an accelerated schedule i s necessary o r advisable.

Experience has shown t h a t three In view o f this, and the f a c t

0.

Implementation Recommendations The following actions are recommended t o implement the revised analysis assumptions:

Issue a Generic L e t t e r t o notify a l l power reactor licensees t h a t the NRC has f i n a l i z e d i t s v i t a l area assumptions.

Generic L e t t e r w i l l also point out t h a t confirmatory analyses o f licensee designations of v i t a l areas, using the revised assumptions, w i 11 be accompl ished through the Regulatory Effectiveness Review (RER) Program.

The Continue the o r i g i n a l plan t o perform follow-up v i t a l area analyses as stated i n the SERs.

These analyses w i l l be done i n conjunction with the ongoing RER program; each RER report w i l l contain a v i t a l area designation chapter f o r t h i s purpose.

Provide licensees with the RER analyses, as they are completed, and request t h a t proposed changes be made o r t h a t j u s t i f i c a t i o n be submitted f o r not i n s t i t u t i n g changes required t o conform with the revised assumptions.

have already been conducted (approximately 20), the s t a f f w i 11 revise the v i t a l area chapters o f the RER reports where necessary, consistent w i t h the f i n a l approved v i t a l area assumptions and forward them t o the licensees for t h e i r review and response as soon as practicable.

Additional s i t e v i s i t s by LANL should not be required t o revise the RER reports, although i n some instances, b r i e f v i s i t s by s t a f f may be advisable.

For reactor u n i t s where RERs If backfit i s appropriate a t t h i s stage, i t w i l l be treated i n accordance w i t h the b a c k f i t rule on a case-by-case basis.

recognized t h a t resulting backfits would be spread over an extended period.

would be required.

It i s It cannot be stated a t t h i s time how many b a c k f i t actions NUREG-1178 G-2 E.

Follow-On Actions A second level o f licensing acceptance and review c r i t e r i a w i l l be developed t o implement the recommendations o f the! V i t a l Area Committee Report.

These c r i t e r i a w i l l be formulated by the NMSS s t a f f and coordinated through appropriate management levels o f NRR.

NMSS w i l l also revise and coordinate w i t h NRR Section 13.6 o f the Standard Review Plan (NUREG-0800) t o incorporate by reference the new review c r i t e r i a.

NUREG-1178 G-3

APPENDIX H*

PROPOSED GENERIC LETTER OF TRANSMITTAL FOR FINAL VAC REPORT

Designated "Encl osure 4" i ri March 5, 1986 memorandum transmitting V i t a l Airea Committee Final Report.

NUREG-1178

Generic L e t t e r o f Transmit:tal f o r \\/AC Report TO:

ALL POWER REACTOR APPLICANTS AND LICENSEES

SUBJECT:

VITAL EQUIPMENT/AREA ANALYSIS GUIDELINES (Generic L e t t e r No. 86-1 Publication o f 10 CFR 73.55 by the Commission i n March o f 1977 s i g n i f i c a n t l y upgraded the protection level o f power reactors against radiological sabotage.

By l a t e 1979, physical security plans r e f l e c t f n g thelse regulations had been re-viewed, approved and largely implemented f o r a l l powler reactors operating a t t h a t time.

However, because i t s p o s i t i o n and guidance on v i t a l equipment and area d e f i n i t i o n s were s t i l l evolving, the s t a f f recognized t h a t subsequent con-firmation o f i t s i n i t i a l findings i n t h i s regard would be necessary and t h a t changes might be required a!; a r e s u l t o f such confirmation.

This recognition has been reflected i n the staff's Safety Evaluation Reports t o date by e i t h e r the following o r a s i m i l a r statement:

"The i d e n t i f i c a t i o n of v i t a l areas and measures t o control access t o these areas, las described i n the plan, may be subject t o amendments i n the future."

The s t a f f has now formalized i t s guidance on the bases and analysis assumptions t o be used i n determining the equipment and areas which must be protected as v i t a l i n nuclear power plants.

This guidance i s i d e n t i f i e d and discussed i n NUREG-1178,

" V i t a l EquipmentVArea Guide1 ines Study-Vi t a l Area Committee Report," dated March, 1986.

A copy o f t h i s report i s enclosed f o r your information.

We plan t o use these guidelines i n our confirmatory analysis of your currently-implemented v i t a l equipment/area protection program.

However, s a t i s f a c t i o n o f the requirements and assumptions o f IPeview Guideline 17, issued i n January, 1978 as an alternative t o these giJidelines, w i l l continue t o be acceptable.

The r e s u l t s o f our confirmatory analysis w i l l be provided t o you through the ongoing Regulatory Effectiveness Review (RER) Program.

your f a c i l i t y i s among those! which have already had an RER, you w i l l be receiving the results o f our' confirmatory analysis as soon as practicable.

I If NUREG-1178 H-1 We believe t h a t most o f the nuclear power plants reviewed and licensed since Javary 1980, as well as some licensed earlier, will be found to satisfy the r ised analysis assumption guidelines. Such licensees and applicants may, a t their option, retain their current vital equipment and area designations or take advantage of the flexibf lity provided by the refined analysis assumptions.

In the interim, we recommend that you review your vital equipment/area program w i t h respect to the finalized guidance.

This letter is for information only and does n o t require any response.

Should you have any questions concerning this matter, please contact Donald J. Kasun, Office o f Nuclear Material Safety and Safeguards (301-427-4771).

Sincerely,

Victor Stello, Jr.

Act-ing Executive Director for Opera t i ons

Enclosure:

As stated NUREG-1178 H-2

iz 841 BIBLIOGRAPHIC DATA SHEET NRCM 1102.

1201,3202 NUREG-1178 2 TITLE A N 0 SUBTITLE 1 3 LEAVEBLANK Vital Equipment/Area Guidelines Study:

Vital Area Committee Report Final Report I

1 March 1986 6 DATE REPORT ISSUED I

MONTH YEAR 5 AUTHORIS1 I

4 DATE REPORT COMPLETED MONTH YEAR I

1938 7 PERFORMING ORGANIZATION NAME AN0 MAILING ADDRESS /lnchdeZ,p Codel

,-}

8 P R L % l k % (

UNIT NUMBER Gffice of Nuclear Reactor R%egulation U.S.

Nuclear Regulatory Commission 9 FIN OR GRANT NUMBER t

I Washington, DC -20555 10 SPONSORING ORGANIZATION NAME 4ND MAlLlNC ADDRESS flnclrlde Zip CodcJ l l a TYPEOF REPORT Same as 7a above.

Technical b PERIOD COVERED llnclurivs drIor/

-I 1 2 SUPPLEMENTARY NOTES 13 ABSTRACT I200 words or b s /

A study was conducted by the staff to (1) re-evaluate the guidelines and bases used to determine what are the vital equipment and arleas to be protected against radio-logical sabotage i n nuclear power plants and (2) t o recommend revised guidance.

On t h e basis o f this study, the staff has recommended a revised vital equipment/area protection philosophy:

to protect as v i tal the reactor coolant pressure boundary and one train o f equipment that would provide t h e capabi1,ity t o achieve and maintain hot shutdown.

To implement this overall protection philO!jOphy, the staff also has recommended new analysi s assumptions or guide1 i nes t o i denti fy the specific equipment and areas i n each plant that require protection as "vital,"

14 DOCUMENT ANALYSIS - a KEYWORDSIDESCRIPTORS 15 AVAILABILITY STATEMEIYT Nuclear Power P1 ants Physn cal Security Sabotage Physii cal Modi f i cati oris Vital Areas V i tal! Equipment Vital Area Barriers b i0ENTiFlERSlOPEN ENDED TERMS I Unlimited I 8 SECURITY CLASSIFICATIOI -

/ThU E###/

Unclassified-IThtr r@oorf/

Unclassified 17 NUMBER OF PAGES +-

18 PRICE

ML19317E685

Contents

Text

SUMMARY

SUMMARY

SUBJECT:

References:

Enclosure:

Enclosure:

References:

Enclosure:

SUMMARY

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

REFERENCE:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Contact:

SUBJECT:

Enclosure:

Navigation menu

ML19317E685

Text

SUMMARY

SUMMARY

SUBJECT:

References:

Enclosure:

Enclosure:

References:

Enclosure:

SUMMARY

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

REFERENCE:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Contact:

SUBJECT:

Enclosure:

Navigation menu

Search